Wm 

Mian 

sum 

■  ::  i  :: 


■  1  V  | 

>  ]  1  1 

[l  [ 

tV'v:/.  .  ■ 

■■  ■  ■■ : 


. 

:  :: 


»-£f  X’r. 


\  i  / 


.>\^y 


© 


ii 


i 

i 


Virtualize 
more  with 


WebSphere 


ll""ll 


•  * 

'bt&f'V  "■•  -V3 

. 

. 

K'  1  'y'  v  '■  ’s  ’ 


'WS^y': 

''4m 

■ 

' 

-.  ■  .  -  ■  ■  •>«;.£§& 


Over  400  highly  logical  reasons  to  choose  IBM  WebSphere®  over  Oracle  WebLogic®: 

1.  Save  57%  on  first-year  licensing  and  support. 

2.  Choose  from  more  virtualization  options  (including  VMware  and  Xen). 

3.  Pay  only  for  cores  you  use  (not  always  true  with  Oracle  WebLogic). 

4-404.  Be  in  good  company  (last  year,  over  400  Oracle  WebLogic  clients 
chose  IBM  WebSphere). 

ibm.com/facts 
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i  ’l  SAVINGS  based  on  publicly  available  information  as  of  6/13/2011  comparing  Oracle  WebLogic  Server  Enterprise  Edition  to  IBM  WebSphere  Application  Server  Network  Deployment,  both  on  an  IBM  Power  /30  Express 

' .  ,  .  server  (2  chips.  8  cores  each).  IBM.  the  IBM  logo,  ibm.com.  WebSphere,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other  product 

;  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml.  ©  International  Business  Machines  Corporation  2011. 
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[  FROM  THE  EDITOR] 


Contractual 

Obligations 

Let’s  imagine  your  company  uses  a  cloud- 
based  IT  service  and  pays  the  provider 
$100,000  per  year.  Now  let’s  imagine 
that  cloud  provider  suffers  a  security 
breach,  and  your  data  is  compromised.  The 
total  cost  to  you  (notifications,  remediation, 
regulatory  fines)  is  $1  million. 

Think  your  cloud  provider  is  going  to  cover 
those  costs? 

The  answer  to  this  very  important  question 
lies  buried  in  the  details  of  your  contract  with 
the  service  provider.  You  remember  signing 
that  contract,  right?  Or  at  least  carefully 
reviewing  it  before  the  CIO  signed  it? 

Cloud  contracts  typically  specify  a  “limit 
of  liability”— an  absolute  maximum  the  cloud 
provider  is  on  the  hook  for  in  the  event  of  a 
problem.  The  limit  of  liability  is  often  some 
multiple  of  the  annual  revenue  in  the  contract. 

Kris  Herrin,  CTO  of  Heartland  Payment  Sys¬ 
tems,  brought  this  issue  to  my  attention.  Any 
time  Herrin  speaks  to  a  group  of  IT  or  security 
professionals,  he  likes  to  ask  the  crowd, 

“What’s  your  multiple?"  The  answers  are 
always  interesting,  he  says,  because  they’re  so 
diverse.  Some  people  might  say  10  (in  which 
case  the  provider  in  the  example  at  the  begin¬ 
ning  of  this  column  would  actually  cover  the 
damages).  More  might  say  5  or  2  or  1. 

A  disturbingly  high  number  of  people  say, 

“I  don’t  know.” 

Herrin  says  that  currently,  the  risk  equa¬ 
tion  is  way  out  of  whack  for  cloud  deployments, 
meaning  most  contracts  have  a  low  multiple 
and  therefore  assign  too  much  of  the  risk  to 
the  cloud  consumer. 


Herrin  also  says  that  for  companies  that 
get  it,  the  limit  of  liability  in  private-cloud 
deployments  is  typically  a  multiple  of  the 
lifetime  value  of  the  contract  rather  than  the 
annual  value. 

You,  as  the  cloud  consumer  and  ultimate 
steward  of  your  data,  need  to  know  your  ser¬ 
vice  providers’  limits  of  liability.  And  you  need 
to  have  a  sense  of  what’s  common  in  these 
contracts,  and  also  what’s  fair  and  reasonable, 
and  perhaps  have  some  awareness  of  what 
might  stand  up  in  court. 

Legal  minutia!  It’s  the  best  part  of  the  CSO 
job,  right? 

I  have  never  wanted  to  be  a  lawyer,  and 
perhaps  you  haven’t  either.  So  you  might  not 


relish  scouring  contracts.  But  whether  you 
look  at  guard  contracts,  vendor  contracts,  or 
internal  service-level  agreements,  that  duty 
has  become  a  standard  obligation  for  security 
leaders. 

-Derek  Slater,  dslater@cxo.com 
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You  spelled  ‘ confidential’ wrong! 


3M™  Privacy  Filters  offer  you  a  crisp,  clear  view  of  your  laptop,  desktop  computer  or  mobile  device 
screen  while  blocking  wandering  eyes  from  seeing  sensitive  data.  To  learn  why  visual  privacy  is  an  important 
part  of  any  data  security  plan,  download  the  white  paper  at:  3MPrivacyFilters.com/security 


3M  Privacy  Filters.  Display  good  judgment. 
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[  FROM  THE  PUBLISHER  ] 


Risky  Workers 

I  thought  we  could  examine  a  recent  theme 
in  a  little  more  detail  this  month:  the  chal¬ 
lenges  of  dealing  with  the  consumerization 
of  IT  devices  in  the  workplace.  We  recently 
completed  a  study,  in  partnership  with  Syman¬ 
tec,  that  looked  at  the  security  and  compliance 
risks  of  a  mobile  workforce.  It  affirmed  what 
I’ve  believed  for  a  long  time,  namely,  that 
there  is  a  consensus  that  mobile  workers  pose 
a  great  risk  and  that,  for  the  most  part,  busi¬ 
nesses  are  not  prepared  to  mitigate  that  risk. 

Today,  every  business  has  a  mobile 
workforce  of  one  form  or  another.  The  larger 
the  organization,  the  greater  the  challenge. 
And  this  mobile  workforce  is  important. 

Most  businesses  understand  the  benefits  of 
untethering  their  employees  and  pushing 
corporate  resources  out  into  the  field.  But  as 
these  workers  carry  corporate  data  outside 
the  traditional  enterprise,  they  increase  the 
risk  of  loss,  theft  or  misuse. 

Although  businesses  have  gotten  pretty 
good  at  protecting  their  laptops,  the  chal¬ 
lenge  grows  exponentially  as  more  and  more 
devices  (iPads,  Android  devices,  and  so  on)  are 
introduced  into  the  equation.  Most  businesses 
are  still  coming  up  short  in  their  efforts  to 
protect  these  devices-not  just  from  a  techni¬ 
cal  standpoint,  but  also  from  the  point  of  view 
of  enforcing  corporate  policies  that  govern  the 
acceptable  use  of  mobile  devices. 

Most  businesses  surveyed  do  not  use  any 
technological  solutions  to  enforce  compli¬ 
ance  with  corporate  acceptable-use  policies 
(monitoring  and  enforcement,  as  we  all  know, 
are  key  tenets  of  a  good  security  program-the 
old  “trust  but  verify"  axiom). 


There  are  a  variety  of  reasons  that  busi¬ 
nesses  haven’t  adopted  solutions  to  address 
this  issue;  the  most  common  are  related  to 
budget  and  resource  constraints,  and  where 
this  issue  falls  in  the  pecking  order  of  security 
priorities.  But  at  the  same  time,  91  percent 
of  survey  respondents  believe  that  there  is  a 
significant  likelihood  that  mobile  employees 
will  violate  their  acceptable-use  policies. 

But  if  you  are  not  willing  to  accept 
violations  of  acceptable-use  policies  among 
tethered  workers,  why  do  you  accept  viola¬ 
tions  from  mobile  workers?  With  a  clear 
understanding  of  the  risks,  security  executives 
need  to  be  more  proactive  in  addressing  these 
security  shortcomings  so  they  can  protect 
their  organizations  from  compliance  missteps. 

Failing  to  do  so  is  quickly  becoming  a  mis¬ 


take  that  businesses  cannot  afford  to  make. 
Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

3M . 3 

Activldentity  Inc . 5 

ADT  Security  Services . 9 

ASSA  ABLOY . 10 


Citrix  Systems  Inc . 20 

Hewlett-Packard  Development 
Co.,  LP . C4 

HIDCorp . 7 

IBM  Corp . C2 


ISACA . C3 

The  Security  Confab . 31 

University  of  Maryland  University 
College . 25 

Websense  Inc . 19 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Director, 
Integrated  Sales 

Roz  Burke 

West  Coast  Regional  Director, 
Integrated  Sales 
Michelle  McHugh 
Sales  Associate 

Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
SVP,  Online  Sales 

Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 

Danielle  Tetreault 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 

Brett  Ferry,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 
Marketings  PR  Manager 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  S08  820-8106  or 
stozeskiiSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
csoStheygsgroup.com 


4  www.csoonline.com  September  2011 


Photo  by  Christopher  Navin 


CUSTOME 


ADVERTORIAL 


WPOINT 


Jerome  Becquart 

VICE  PRESIDENT  AND  GENERAL 
MANAGER,  ACTIVIDENTITY 

Mr.  Becquart  is  General 
Manager  and  vice  President 
of  Actividentity,  part  of  hid 
Global,  and  serves  on  the 
Board  of  Directors  for  Activi¬ 
dentity.  Global  management 
responsibilities  include  solu¬ 
tion  and  product  marketing, 
marketing  communications, 
engineering,  professional 
services  and  technical  sup¬ 
port.  Under  Mr.  Becquart's 
leadership,  the  organization 
has  transitioned  to  a  trusted 
advisor  for  customers,  build¬ 
ing  a  best  in  class  global 
technical  support  team  and 
implementing  industry  best 
practices  across  consulting 
and  training  services.  Mr. 
Becquart  has  been  with  the 
organization  since  1996,  and 
has  held  several  executive 
management  positions. 


FOR  MORE  INFORMATION: 

download  the  free  whitepaper 

"Deploying  Strong  Authentication: 
The  Threats  are  Changing- 
Are  You?"  at  www.csoonlinecom/ 
whitepapers/aisecure 


CSO 

Custom  Solutions  Group 

activ(1S)entity" 

part  of  HID  Global 


Secure  the  Enterprise 


Jerome  Becquart  of  Actividentity,  part  of  HID 
Global  discusses  the  challenges  facing  CSOs 
in  Securing  the  Enterprise,  and  how  a  multi¬ 
level  security  approach  can  help  safeguard  the 
enterprise  and  minimize  the  risk  of  potential 
security  breaches. 

What  have  recent  headlines  taught  us 
about  enterprise  security  breaches,  and 
how  can  enterprises  increase  security? 

The  perception  that  organizations  are  un¬ 
touchable  and  security  cannot  be  breached  is 
something  of  the  past.  In  the  first  five  months 
of  2011,  we  saw  178  million  to  218  million  user 


How  can  companies  have  a  security 
solution  that  addresses  the  global  scope, 
frequency  and  sophistication  of  today's 
threats? 

They  must  create  an  environment  in  which 
employees  can  establish  trust  in  the  identity 
of  anyone  accessing  resources,  particularly 
sensitive  information.  CSOs  need  to  feel  confi¬ 
dent  about  the  steps  they  have  taken  to  protect 
the  network  and  resources.  They  also  need 
to  implement  an  enterprise  identity  assur¬ 
ance  solution  that  validates  users’  identities, 
authenticates  their  credentials  and  provides 
access  based  on  these  credentials. 


Identity  assurance  solutions  must  be  adaptable  and  scalable 
to  meet  the  needs  of  the  enterprise  at  all  levels. 


accounts,  e-mail  addresses,  token  seed  files 
or  records  stolen  from  companies  that  were 
breached.  In  the  wake  of  recent  high-level  se¬ 
curity  breaches,  CSOs  must  be  ready  to  answer 
the  tough  questions  CEOs  are  asking  about 
their  organizations’  security  preparedness. 

As  threats  become  more  sophisticated  and 
frequent,  security  measures  such  as  perim¬ 
eter  defense  and  traditional  OTP  no  longer 
offer  sufficient  protection.  By  implementing 
a  multi-layered  approach  with  a  combination 
of  smartcards  and  advanced  OTP  tokens,  the 
security  organization  can  validate  and  authen¬ 
ticate  users’  access  to  resources,  providing  a 
trusted  environment  for  users. 

Why  are  enterprises  more  vulnerable  to¬ 
day?  Where  are  these  vulnerabilities? 

Traditional  security  methods  such  as  static 
passwords  and  authentication  at  the  perimeter 
are  almost  obsolete  for  protecting  employee 
credentials  and  enterprise  data.  Restricting 
employee  Internet  access  has  proven  imprac¬ 
tical,  because  it  interferes  with  daily  business 
operations.  As  the  value  of  customer  assets 
increases,  so  does  the  value  of  getting  into 
these  assets.  Hackers  are  using  social  networks 
to  breach  the  system,  assuming  employee 
identities.  Once  they  have  penetrated  the  IT 
network,  hackers  can  easily  access  sensitive  IT 
resources  and  valuable  corporate  information. 


Enterprises  need  to  make  sure  the  security 
environment  does  not  have  an  impact  on 
daily  business  activities  and  that  they  educate 
employees  and  keep  them  informed. 

Some  organizations  are  implementing  pe¬ 
rimeter  defense  systems  and  smart 
tokens.  Does  this  strategy  address  ad¬ 
vanced  persistent  threats? 

Yes,  multi-layered  strong  authentication  in¬ 
hibits  an  attacker’s  ability  to  escalate  account 
privileges  or  leap  laterally  to  compromise 
other  users’  accounts.  Using  smart  card  to 
secure  VPN,  Windows  login  and  server  access 
can  significantly  reduce  the  risk  of  breaches. 
Employing  OTP  tokens  with  algorithms  based 
on  multiple  variables  is  also  a  good  strategy. 

As  a  part  of  HID  Global,  how  can 
Actividentity  help  enterprises  strengthen 
their  security  strategy  into  the  future? 

I  believe  that  as  part  of  HID  Global  our  identity 
assurance  solutions  will  be  able  to  meet  the 
customer  needs  of  today  and  the  future.  Iden¬ 
tity  assurance  solutions  must  be  adaptable  and 
scalable  to  meet  the  needs  of  the  enterprise  at 
all  levels,  and  I  believe  we  can  provide  custom¬ 
ers  with  this  solution.  I  foresee  in  the  near  fu¬ 
ture  that  a  CSO  priority  will  be  convergence— 
the  use  of  a  single  credential  to  authenticate  to  a 
PC,  network,  applications,  digitally  sign  emails, 
encrypt  data  and  open  a  facility  door. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Dr.  Jekyll  and 
Mr.  Hyde: 
Managing 
Online 
Indulgence 

I  recently  read  an  intriguing  Harvard 
Business  Review  blog  post,  “The 
Three  Ps  of  Online  Indulgence,”  by 
Alexandra  Samuel.  This  guidance 
begins  with  the  topic  of  well-known 
adults  displaying  split  personalities  online. 
While  their  public  activities  follow  socially 
accepted  norms,  their  darker 
“shadow  selves”behave  very  dif¬ 
ferently.  Samuel’s  witty  analy¬ 
sis  artfully  exposes  the  online 
hypocrisy  of  certain  family-values 
politicians  and  the  now-famous 
tweets  of  Congressman  Anthony 
Weiner. 

But  moving  quickly  beyond 
the  list  of  celebrities  behav¬ 
ing  badly,  Samuel  accurately 
unmasks  the  relentless  disease 
that  inflicts  all  who  regularly 
enter  cyberspace— namely  the 
temptation  toward  online  duplic¬ 
ity.  This  challenge  is  the  21st-cen¬ 
tury  manifestation  of  the  internal 
battle  dating  back  to  the  beginning  of  time. 
Each  of  us  must  answer  the  age-old  ques¬ 
tion:  Who  am  I,  really? 

Always- connected  adults  are  especially 
vulnerable  to  the  smorgasbord  of  tempta¬ 
tions  offered  on  the  Net.  Samuel  writes: 


“Social  media  enthusiasts  need  to  be  extra 
cautious  about  online  vices:  We’re  more 
likely  to  indulge  (because  we’re  online 
more),  more  likely  to  get  caught  (because 
we’re  widely  watched)  and  more  likely  to 
disappoint  others  when  we  do  (because 
they’ve  seen  us  as  the  online  standard- 
setters).” 

I  agree.  There  seems  to  be  a  never-end¬ 
ing  supply  of  stories  about  educated  adults, 
people  who  should  know  better,  or  even 
leaders  in  society  getting  into  serious  trou¬ 
ble  because  of  their  virtual-world  behavior. 
The  real-world  results  are  showing  up  all 
around  us:  broken  relationships,  shattered 
careers,  and  even  jail  time. 

What’s  to  be  done?  Samuel  says,  “You 
can  manage  the  personal  and  professional 
risks  of  online  indulgence  by  remembering 


the  3  Ps:  Principled,  Private  and  Planned.” 

This  is  where  I  part  ways  with  the  blog¬ 
ger.  I  wonder:  Can  we  really  control  online 
vices  in  this  way?  The  overall  effect  of  her 
words  is  to  compartmentalize  each  of  us 
into  two  (or  more)  distinct  identities  using 


online  privacy.  This  approach  may  work  for 
a  time,  but  surely  it  leads  to  eventual  disas¬ 
ter.  In  a  sense,  this  guidance  treats  online 
privacy  as  the  potion  that  allowed  Dr.  Jekyll 
to  change  into  Mr.  Hyde. 

In  Robert  Louis  Stevenson’s  The  Strange 
Case  of  Dr.  Jekyll  and  Mr.  Hyde,  Jekyll  wants 
to  separate  his  good  side  from  his  dark 
impulses  and  develops  a  potion  that  trans¬ 
forms  him  into  another  version  of  himself, 
one  with  no  conscience,  who  is  known  as 
Mr.  Hyde.  But  although  there  is  no  good  in 
Hyde,  there  is  still  evil  in  Jekyll.  At  first  the 
doctor  enjoys  becoming  Hyde,  with  all  his 
freedom  from  moral  and  societal  restric¬ 
tions.  But  Hyde  becomes  increasingly 
violent,  horrifying  Jekyll,  who  is  further 
dismayed  to  discover  that  he  is  transform¬ 
ing  into  Hyde  in  his  sleep,  even  without  tak¬ 
ing  the  potion. 

One  message  the  book  makes 
crystal  clear  is  that  we  are  each 
one  person.  My  shadow  self  is 
still  me.  This  is  true  even  in  vir¬ 
tual  worlds,  and  studies  have 
shown  that  people  often  act  out 
their  online  activities  in  the  real 
world. 

There  are  many  pragmatic 
questions  raised  by  Samuel’s 
three  P’s.  Here  are  a  few: 

■  Can  online  identities  really  be 
kept  private  to  pursue  online 
indulgence?  I  seriously  doubt 
this  is  feasible  over  long  periods 
of  time,  because  the  Internet 
has  a  great  memory.  Also,  hackers 
abound— WikiLeaks,  for  example. 

Do  you  really  believe  that  Congressman 
Anthony  Weiner  (or  most  others)  could 
be  open  and  honest  with  his  spouse 
about  his  secret  tweeting  to  women 
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Now,  the 
future 
really  is 
wide 
open. 


Introducing  iCLASS  SE7 
enabled  with  the  Secure 

Identity  Object 
(SIO)  model. 


»w«  - »  fi 


I'ffli'l 


(CLASS  SE  Card 


Learn  about  SIO. 

hidglobal.com/sio 
or  scan  this  with 
a  QR  reader 


More  portable,  more  flexible,  and  more  secure 
than  ever  before.  iCLASS  SE  —  the  platform 
that  simplifies  everything. 


iCLASS  SE  protects  the  integrity  of  your  identities,  regardless  of  the  card  platform.  It’s  also 
amazingly  flexible  —  use  multiple  form  factors  with  an  access  control  solution  to  create  your 
ideal  product  today,  then  change  it  down  the  road  as  your  business  needs  evolve  by  simply 
re-programming  it. 

Powerful,  adaptable  and  designed  to  be  energy  efficient,  iCLASS  SE  is  truly  the  next  generation 
in  access  control.  For  more  information,  visit  hidglobal.com/future-CSO 


>>  DISCUSSION 


around  the  country?  People  often  go 
out  of  their  way  to  hide  online  acts 
from  the  ones  they  love  and  lie  to  those 
who  love  them. 

■  If  integrity  is  doing  what  you  say  and 
saying  what  you  do,  how  is  Samuel’s 
approach  truly  principled?  Isn’t 
duplicity  the  opposite  of  integrity? 

■  Does  being  principled  only  mean  not 
violating  your  own  ethical  bottom  line? 
What  if  your  ethical  bottom  line  allows 
sending  inappropriate  pictures  of  little 
children?  Are  my  principles  merely 
reflections  of  federal  or  state  law  or 
company  policy?  Is  that  the  best  we 
can  do? 

■  Are  there  no  principles  that  transcend 

our  personal  sense  of  right  and  wrong? 
Can’t  we  say  that  the  hypocrisy  of  Ted 
Haggard  or  the  perversion  of  Anthony 
Weiner  is  wrong,  whether  it  violated 
their  core  principles  or  not? 

More  important  than  these  objections  is 
the  fact  that  there  is  actually  a  better  way: 
Surf  your  values.  Connect  your  offline  val¬ 
ues  and  convictions  with  your  online  world. 
Practice  virtual  integrity.  This  means  real 
transparency  and  accountability  for  online 
actions.  Yes,  we  can  still  have  fun  and  be 
anonymous  on  the  Internet.  But  we  must 
be  wary  of  using  browser  controls,  proxy 
servers,  other  privacy  tools  and  online 
anonymity  to  feed  a  conscienceless  shadow 
self  or  we  will  suffer  a  similar  fate  to  that 
of  Dr.  Jekyll. 

Every  major  tech  and  security  company 
is  trying  to  build  a  way  to  ensure  the  trust¬ 
worthiness  of  online  identities  (see  https-.// 
otalliance.org/)  or  end-to-end  trust  (see  www 
.  m  icrosoft.  com/mscorp/twc/endtoendtrust/) . 


How  can  we  have  end-to-end  trust  if  people 
have  false  identities  and  are  creating  sepa¬ 
rate  accounts  to  deceive  others  and  hide 
their  activities?  Many  critics  point  out  that 
Mr.  Hyde  is  a  play  on  words  for  someone 
who  “hides”  their  darker  side’s  actions  and 
motives.  We  can’t  stop  this  behavior,  but 
does  that  mean  our  best  employees  should 
be  encouraging  it? 

No  doubt  we  all  have  made  (and  will 
make)  mistakes.  Humbly  acknowledging 
our  weakness  and  vulnerabilities  is  a  good 
place  to  start.  When  we  see  the  appalling 
headlines  about  our  leaders  and  celebrities 
behaving  badly  in  cyberspace,  we  can  say: 
“There  but  for  the  grace  of  God  go  I.” 

Cybersecurity  teams  see  it  all  the  time. 
Regular  visits  to  the  Internet’s  dark  side 
will  be  found  out. 

In  terms  of  dealing  with  these  behaviors 
among  employees,  what’s  to  be  done? 

1.  We  need  more  honesty  and  transpar¬ 
ency  in  Internet  transactions.  Create  a  more 
trusting  environment  at  work. 

2.  Talk  to  your  boss,  coworkers  and  staff 
about  online  boundaries  and  what’s  appro¬ 
priate  when  surfing.  Don’t  just  post  policies. 
Train  and  mentor. 

3.  Use  your  Web  monitoring  and  fil¬ 
tering  software  to  encourage  the  right 
behaviors  and  discourage  those  that  are 
not  allowed.  Whether  you  use  Websense 
or  something  else,  build  a  culture  of  trust 
and  openness  at  the  office  and  with  com¬ 
pany  assets.  (This  topic  is  definitely  worth 
its  own  post.) 

Ultimately,  honesty,  accountability  and 
forgiveness  are  still  the  only  approaches 
that  work. 

—Dan  Lohrmann 
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ADVERTISEMENT 


Effective  risk  management  is  increasingly  becoming  a 
strategic  priority  for  enterprises. 


MARKET 


PULSE 


As  a  result,  CSOs  are  looking  beyond  IT  to  physical 
security  in  order  to  obtain  an  integrated,  holistic  view 
of  risk.  But  this  can  be  difficult  when  the  physical 
security  domain  itself  consists  of  hundreds— if  not 
thousands— of  disparate  sensors  and  logs.  Executing 
an  effective  risk  management  strategy  depends  on  the 
CSO's  ability  to  obtain  a  holistic  view  of  the  physical 
security  domain. 

Like  IT  security,  maintaining  physical  security  involves 
monitoring  numerous  security-related  sensors  and 
systems  that,  in  turn,  control  and  monitor  aspects  of  the 
environment.  These  include  any  combination  of  access 
control  systems,  alarm  monitoring  systems,  video  moni¬ 
toring  systems,  building  management  systems  (such  as 
heating,  ventilation,  air  conditioning),  intrusion  detection 
systems  and  perimeter  intrusion  systems. 

Also  like  the  IT  world,  monitoring  and  reporting  is  key 
to  managing  risk  and  demonstrating  compliance  with 
regulatory  requirements.  However,  the  sheer  number 
of  disparate  systems  and  devices  creates  a  number  of 
challenges  when  it  comes  to  physical  security  monitor¬ 
ing  and  reporting. 

All  of  these  challenges  are  driven  by  the  fact  that  physi¬ 
cal  security  systems  in  the  majority  of  organizations 
today  "stand  alone."  They  do  not  "talk  to"  or  integrate 
with  any  of  the  other  systems. 

Physical  security  information  management  (PSIM)  is  a 
category  of  technologies  that  aims  to  provide  a  com¬ 
prehensive  and  holistic  view  of  a  physical  security  envi¬ 
ronment  through  the  integration  of  numerous  physical 
security  subsystems  and  the  correlation  of  data  from 
these  subsystems.  PSIM  solutions  enable  organizations 
to  turn  silos  of  data  from  individual  subsystems  into 
actionable  intelligence. 


The  benefits  of  a  PSIM  solution  include: 

■  More  efficient  physical  security  management.  With 
information  from  numerous  systems  and  sensors 
integrated  and  presented  by  a  single  platform,  organiza¬ 
tions  no  longer  have  to  dedicate  precious  resources  to 
gathering  and  compiling  data. 

■  Greater  visibility  into  the  entire  security  infrastructure. 
Various  sensors  from  different  subsystems  and  alerts 
from  these  sensors  are  overlaid  on  maps  of  the  facility  or 
campus  with  the  ability  to  drill  down  into  particular  alerts 
or  points  of  interest.  Where  before  visibility  existed  as 
numerous  points  on  the  infrastructure,  a  PSIM  solution 
integrates  information  to  enable  a  single  view. 

■  Lowered  risk  and  improved  incident  response 
times.  A  PSIM  solution  can  provide  actionable  intel¬ 
ligence  about  security  incidents  and  events  to  help 
organizations  prevent  future  events,  thus  continually 
lowering  risk  and  improving  their  security  posture.  A 
real-time  view  of  security  events  also  allows  organiza¬ 
tions  to  resolve  security  incidents  faster  than  they 
would  otherwise. 

There  are  a  number  of  PSIM  solutions  available,  includ¬ 
ing  Surveillint  by  Proximex.  Powered  by  a  business 
logic  engine,  Surveillint  is  an  enterprise-class  solution 
that  provides  organizations  with  all  the  benefits  of 
a  PSIM  platform.  Surveillint  connects  and  correlates 
information  from  disparate  security  systems  into  one 
centralized  environment,  thereby  allowing  customers  to 
transform  massive  amounts  of  data  into  useable,  action¬ 
able  information. 


Download  the  full  white  paper  "The  Secret  to  Effective 
Risk  Management:  What  Every  CSO  Must  Know"  to 
learn  more  about  PSIM  solutions,  including  how  they  con¬ 
tribute  to  holistic  risk  management  and  bow  to  evaluate  a 

solution.www.csoonline.com/whitepapers/adt 
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“We’re  taking  Anon  back.  Time for  sensible, 
focused  discussion page  13 


Edited  by  Bill  Brenner 


Researcher:  Industrial  Controllers  Poorly  Protected 


The  stripped-down  systems  that 
control  many  manufacturing, 
utility  and  industrial  processes 
have  enormous  security  issues, 
researchers  find. 

The  dedicated  systems  designed 
to  control  manufacturing,  utility  and 
industrial  processes  have  fundamen¬ 
tal  security  issues  that  have  allowed 
researchers  to  find  serious  vulner¬ 
abilities  with  trivial  effort. 

Siemens  Simatic  S7  programmable 
logic  controllers,  for  example,  are 
vulnerable  to  replay  attacks  that  allow 
adversaries  to  change  settings  and 
shut  down  devices,  says  Dillon  Beres- 
ford,  a  researcher  with  NSS  Labs. 

The  controllers  are  the  same 
devices  that  the  Stuxnet  virus  targeted 
in  2009  as  part  of  its  attack  on  Iran’s 
nuclear  processing  capabilities. 

“These  devices  were  designed  to  operate  in 
an  air-gapped  network,  where  physical  access 
was  necessary,”  Beresford  says. 

Programmable  logic  controllers  (PLCs) 
are  devices  that  turn  digital  commands  into 
physical  actions.  They  perform  tasks  such  as 
turning  valves  in  a  water  treatment  facility  on 
and  off,  or  controlling  assembly-line  machin¬ 
ery  in  a  manufacturing  plant. 

Because  they  typically  are  not  con¬ 
nected  to  the  Internet,  vendors 
such  as  Siemens  have  not 
historically  treated  attacks  on 
the  systems  as  a  serious  threat, 

Beresford  says. 

Beresford  acquired  some 
Siemens  PLCs  and  then  spent  about  two 
months  reverse  engineering  them. 


He  found  that  the  popular  models  of  the  S7 
products  are  vulnerable  to  serious,  yet  well- 
known,  attacks. 

For  example,  if  an  adversary  observed  an 
authenticated  server  session,  he  could  then 
re-authenticate  by  sending  the  same  network 
data  again. 

In  addition,  Beresford  found  a  hard-coded 
password  that  returned  a  back  door  com¬ 
mand  shell  to  PLCs. 

Perhaps  the  most  embar¬ 
rassing  revelation  was  that 
the  code  contained  an  Easter 
egg-a  hidden  program-that 
played  an  animation  of  dancing 
monkeys. 

During  the  Black  Hat  and  Defcon  confer¬ 
ences  in  August,  Beresford  turned  a  series  of 


lights  on  and  off  to  demon¬ 
strate  that  he  could  manipu¬ 
late  switches  controlled  by 
Siemens  PLCs.  While  the 
demonstration  seemed  some¬ 
what  antidimactic,  Beresford 
underscored  that  it  was  a 
signal  of  real  danger. 

“I  don’t  want  to  freak 
anyone  out,  but  if  you  mess 
with  these  things,  you  could 
cause  pressure  to  build  up  in 
a  pipe,  which  could  cause  a 
cascade  and  even  explode,” 
he  said. 

An  engineer  from  the 
Siemens  security  team  took 
the  stage  midway  through 
the  presentation  to  assure 
attendees  that  the  company 
was  investigating  the  issues 
Beresford  raised  and  was  working  to  improve 
product  security. 

Beresford  stressed  that  Siemens  is  not  the 
only  company  with  issues  of  this  kind. 

Similar  security  problems  likely  affect 
other  manufacturers.  While  vendors  have 
assumed  that  their  PLCs  and  other  industrial- 
control  systems  operate  alone  and  uncon¬ 
nected  to  the  Internet,  many  are  connected, 
even  if  only  indirectly. 

In  addition,  the  wireless  networks  that 
connect  many  of  the  devices  to  engineering 
terminals  are  vulnerable  to  attack,  Beresford 
said. 

The  researcher  recommended  that  the 
companies  implement  better  access  controls 
to  protect  the  PLCs. 

-Robert  Lemos 


Illustration  by  Carl  Spackler 
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>>  BRIEFING 


MOBILE  DATA 


BlackBerry 
Evidence  May 
Help  Convict 
London  Rioters 


Correlating  this  information  with  CCTV  footage  could  give  the  police 
lists  of  suspects  to  target. 

Under  the  terms  of  the  act,  RIM  and  the  network  operators  do  not 
have  to  tell  the  public  about  any  police  request  for  information  under  the 
RIPA  Act,  nor  do  they  have  to  declare  if  any  information  has  been  handed 
over  to  the  police. 

Riots  hit  a  number  of  towns  around  London,  including  Hackney, 
Peckham,  Clapham,  Croydon,  Ealin,  Tottenham  and  Brixton.  The 
violence  began  after  a  man,  allegedly  carrying  a  gun,  was  shot  dead  by 
police. 

In  Enfield,  about  12  miles  north  of  London,  a  giant  Sony  warehouse, 
the  company’s  main  UK  distribution  center  for  its  CDs  and  DVDs,  was  set 
on  fire. 

-Mike  Simons  and  Leo  King 


Britain’s  controversial  Regulation  of 

Investigatory  Powers  Act  (RIPA)  is  likely 
to  be  widely  used  in  the  aftermath  of  the 
rioting  that  swept  London,  Birmingham 
and  Liverpool,  England,  in  August. 

Research  in  Motion  (RIM)  has  promised  to  cooperate  fully  with 
police  after  claims  that  its  BlackBerry  Messenger  service  was  being 
widely  used  to  coordinate  riots  and  looting. 

RIPA  is  extremely  wide-ranging  and  can  require  organizations 
to  hand  over  message  data  to  the  police  “in  the  interests  of  national 
security,  for  the  purpose  of  preventing  or  detecting  crime  or  of  prevent¬ 
ing  disorder,  in  the  interests  of  the  economic  well-being  of  the  United 
Kingdom,  in  the  interests  of  public  safety,  for  the  purpose  of  protecting 
public  health,  for  the  purpose  of  assessing  or  collecting  any  tax,  duty, 
levy  or  other  imposition,  contribution  or  charge  payable.” 

The  police  can  then  subject  this  data  to  traffic  analysis,  highlight¬ 
ing  the  messages’  sources  and  which  devices  are  linked  to  them.  By 
comparing  that  to  geolocation  data  gathered  from  network  operators, 
police  could  rapidly  build  up  a  picture  of  who  was  where  and  when. 


HACKTIVISM 

IS  FACEBOOK  GOING  DOWN  NOV.  5? 


The  hacking  group  Anonymous  is  alleg¬ 
edly  threatening  to  “destroy”  Facebook 
on  Nov.  5.  It  accuses  the  social  network¬ 
ing  site  of  spying  on  users,  cooperating 
with  authoritarian  governments  and  violat¬ 
ing  people’s  privacy. 

The  threat  is  contained  in  a  video  that 
was  posted  on  YouTube  on  July  16  and  has 
now  been  viewed  more  than  700,000  times, 
attracting  more  comments  by  the 
minute.  But  the  threat  has  not 
been  posted  on  Anonymous’ 
prolific  Twitter  feed  or  its  blog, 
anonops 

.blogspot.com,  leading  some 
experts  to  wonder  if  it  really 
originates  with  the  group  or  if  it’s 
a  fake. 

The  video  “was  posted  almost  a  month 
ago  and  yet  has  not  been  widely  publicized, 


or  publicized  at  all,  on  the  usual  Anonymous 
channels,”  Rik  Ferguson,  director  of  security 
research  and  communication  at  Trend  Micro, 
wrote  last  month  on  a  company  blog. 

Ferguson  noted  that  a  Twitter  profile 
associated  with  the  threat  also  appears  to 
be  inactive.  In  the  video,  Anonymous  claims 
that  Facebook  was  helping  authorities  in 
Egypt  and  Syria  spy  on  people  and  was  also 
allegedly  providing  information  to 
security  companies  about  users  on 
the  site. 

The  settings  on  Facebook 
that  are  intended  to  make  some 
information  more  private  are  a 
“delusion,”  the  group  claimed. 
“Kill  Facebook  for  the  sake  of 
your  own  privacy,”  says  the  scrambled  voice 
on  the  two-minute  video. 

A  Facebook  spokeswoman  contacted  in 


London  says  the  company  has  no  comment. 

Anonymous  and  an  affiliated  group 
called  Lulz  Security  have  led  numerous 
hacking  campaigns  against  organizations, 
businesses  and  governments  whose  policies 
they  find  offensive. 

One  of  their  tactics  is  to  conduct  distrib¬ 
uted  denial-of-service  attacks,  which  involve 
bombarding  a  website  with  traffic  in  an 
attempt  to  overwhelm  its  servers  and  cause 
the  site  to  stop  responding. 

The  groups  have  also  hacked  into  serv¬ 
ers  and  stolen  information,  then  posted  it 
publicly. 

The  group’s  targets  over  the  last  few 
months  have  included  the  CIA,  PBS.org, 
Fox.com  and  the  U.K.’s  Serious  Organized 
Crime  Agency.  Anonymous  did  not  specify 
how  it  plans  to  disrupt  Facebook. 

-Jeremy  Kirk 
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SALTED  HASH 


A  More  ‘Sensible, 

Focused’  Anonymous? 

ANONYMOUS  SEEMS  to  be  backing  off  and  renouncing  the  goal  of  some 
of  its  members  to  destroy  Facebook. 

Consider  the  following  recent  post  from  the  Security  Watchdog  blog: 

The  latest  Twitter  activity,  however,  seems  to  indicate  that 
senior  members  of  the  group  have  decided  to  denounce  the  OpFace- 
book  campaign  completely,  instead  urging  supporters  who  dislike 
Facebook  to  delete  account  data. 

“An  Anonymous  board  meeting  was  held.  We  have  decided  to 
renounce  #OpFacebook.  That  is  all,”  noted  one  statement. 

AnonyOps  then  revealed  that  “the  old  hats  of  Anonymous”  had 
decided  to  take  a  firmer  role  in  the  direction  of  the  group. 

“We’re  taking  Anon  back.  Time  for  sensible,  focused  discus¬ 
sion,”  it  said. 

Is  this  all  a  game  to  drive  us  into  complacency  so  we  will  be  surprised 
if  something  happens  on  Nov.  5— the  day  marked  for  the  destruction  of 
Facebook? 

Perhaps.  Perhaps  not. 

But  if  the  old  guard  of  Anonymous  wants  a  more  sensible,  focused 
discussion,  I’m  all  for  it. 

We  can  start  by  asking  its  members  where  the  justice  is  in  leaking  all 
kinds  of  private  information  about  innocent  bystanders. 

I  agree  with  some  of  what  Anonymous  says.  I  especially  agree  with  its 

contention  that  governments 
are  using  the  terrorist  threat  to 
scare  people  into  handing  over 
the  precious  freedoms  many 
of  our  ancestors  shed  blood  to 
secure  for  us. 

It’s  the  tactics  I  disagree 
with:  The  fact  that  all  of  this 
is  done  anonymously,  and  the 
group’s  tactics  create  a  lot  of  col¬ 
lateral  damage. 

I  know  what  some  of  you 
are  thinking:  How  do  you  launch  a  successful  revolution  out  in  the  open, 
where  those  doing  the  fighting  can  be  easily  identified  and  pursued? 

My  answer  is  that  if  you  look  at  history,  you  usually  see  the  face  of 
the  leadership.  While  a  lot  of  operatives  were  anonymous,  the  leadership 
always  showed  itself:  George  Washington  and  other  Founding  Fathers  dur¬ 
ing  the  American  Revolution  remain  the  best  example. 

I  am  also  at  odds  with  these  groups  over  the  collateral  damage  they 
cause.  Sure,  it’s  good  to  expose  companies  and  governments  that  oppress 
people  or  fail  to  get  security  right.  But  when  you  spill  the  personal  infor¬ 
mation  of  innocents,  who  are  you  really  sticking  it  to? 

When  people  have  to  spend  large  amounts  of  time  cleaning  up  damage 
they  did  not  deserve  to  have  inflicted  on  them— damage  that  was  inflicted 
just  because  they  had  the  misfortune  of  doing  business  with  incompe¬ 
tent  or  dishonest  corporations  that  they 
trusted— you  are  just  oppressing  them  in  a 
different  way. 

If  Anonymous’s  elders  want  a  more 
sensible,  focused  discussion,  let’s  start 
there. 

—Bill  Brenner 


I 


CSOonline’s  new  Salted 
Hash  blog  and  newsletter 
covers  the  news  as  it 
happens:  blogsxsoonline 
xom/blog/cso 


Security 

Wisdom 

Watch 


Thumbs  down:  Trolling: 
Sometimes  it’s  good  to  make 
controversial  statements  on 
Twitter,  especially  if  it  ignites 
a  debate  security  pros  can  learn 
from.  The  problems  start  when  the 
talk  gets  mean.  Lately,  we’ve  seen  a 
little  too  much  of  the  latter. 

Thumbs  down:  Booth  Babes: 
McAfee  hired  women  to  hang 
around  its  Black  Hat  booth  and 
show  some  skin  last  month.  A  lot 
of  skin,  actually.  Showing  more- 
and  better-security  technology 
would  have  been  more  useful  than 
appealing  to  our  baser  desires. 

Thumbs  both  ways:  Hackers 
Working  for  the  NSA:  Some 
hackers  see  nothing  but 
evil  in  working  for  the 
government,  and  especially 
for  the  National  Security 
Agency.  They  argue  that  NSA 
employees  spend  more  time  on  activi¬ 
ties  that  invade  our  privacy  than  on 
those  that  make  cyberspace  safer. 
There  are  some  truths  there.  But  that 
argument  also  sounds  like  a  cop  out. 

Thumbs  down:  Bad  Behavior 
at  Security  Conferences:  From 
Black  Hat  attendees  getting 
robbed  to  Defcon  attendees’ 
breakfast  drinks  being  spiked  with 
drugs,  there’s  a  lot  of  bad  behavior  to 
be  ashamed  of  in  the  security  com¬ 
munity  of  late. 

Thumbs  up:  Redeeming  Behavior 
at  Security  Conferences: 

Despite  the  shameful  behavior 
mentioned  above,  a  lot  of  con- 
ferencegoers  rose  to  the  occasion 
when  victims  needed  help.  We’d  like 
to  think  that  says  more  about  our 
community  than  the  not-so-good 
deeds.  -B.B. 


Photo  by  Reuters/Paul  Hanna 
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COMPLIANCE 

Can  New  Tokenization  Standards  Deter  Data  Theft? 


The  Payment  Card  Industry  Security 
Standards  Council  published  guidelines 
last  month  aimed  at  helping  merchants 
and  others  processing  payment  cards  to 
make  effective  use  of  tokenization  tech¬ 
nologies  for  concealing  sensitive  account 
information. 

In  its  “Information  Supplement:  PCI  DSS 
Tokenization  Guidelines,”  the  council  points 
out  that  there  are  several  types  of  token 
products  on  the  market  today,  and,  though 
it  doesn’t  name  them,  it  offers  a  description 
of  how  many  of  them  work  to  hide  payment- 
card  account  information  by  concealing 
it  behind  a  substitute  token.  The  token 
can  then  be  converted  back  to  the  original 
account  information. 

The  council  says  this  technology  could 
make  it  easier  for  merchants  or  others 
processing  payment-card  data  to  set  up 
networks  that  restrict  access  to  sensitive 
information  in  order  to  comply  with  the  PCI 
Data  Security  Standard  (DSS)  rules. 

Tokenization  itself  has  no  specific 
standards  yet,  and  the  various  products  on 
the  market  can  work  very  differently.  But 
because  it  effectively  hides  data  in  plain 
sight,  tokenization  can  be  taken  into  account 
when  merchant  networks  are  reviewed  for 
compliance  with  PCI  standards,  says  Troy 


Leach,  chief  technology  officer  at  the  PCI 
Security  Standards  Council. 

“The  security  of  an  individual  token 
relies  predominantly  on  the  infeasibility  of 
determining  the  original  primary  account 
number,”  the  report  states.  It  goes  on  to 
recommend  best  practices  for  tokenization. 
These  include: 

■  Strong  authentication  and  access 
controls  must  exist  for  all  access  to 
the  tokenization  system,  whether  for 
tokenizing  or  de-tokenizing  data,  and 
authentication  credentials  must  be 
protected  from  unauthorized  access 
or  use. 

■  All  components  within  the  tokeniza¬ 
tion  system-for  example,  the  token 


generation  and  mapping 
process,  data  vault  and 
cryptographic  key-man¬ 
agement  system-must 
be  in  a  PCI  DSS-compliant 
environment. 

Since  the  goal  in  PCI 
compliance  is  often  to 
reduce  the  amount  of  card¬ 
holder  data  that  enters  the 
general  business  network, 
the  report  notes  that  if  the 
primary  account  number 
(PAN)  is  retrievable  by  the 
merchant  using  the  tokenization  system,  the 
“merchant’s  environment  will  be  in  scope  for 
PCI  DSS.” 

To  minimize  that,  it  would  be  preferred 
that  the  merchant  “would  not  need  or  have 
the  ability  to  retrieve  the  PAN  once  the  token 
has  been  generated.” 

The  report  offers  details  on  how 
tokenization  systems  should  be  installed  and 
configured  in  a  PCI  DSS-compliant  manner. 
For  instance,  one  guideline  suggests  “the 
tokenization  solution  implements  logging, 
monitoring,  and  alerting  as  appropriate  to 
identify  any  suspicious  activity  and  initiate 
response  procedures.” 

-Ellen  Messmer 


SUPER  GLUf 
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MALWARE 

Super  Glue 
Website  Comes 
Unstuck  After 
JavaScript  Attack 

ive  days  after  the  August  discovery  of  malicious 
script  on  the  website  of  the  Super  Glue  Corpora¬ 
tion,  visitors  to  the  site  were  still  being  served  the 
dangerous  code,  which  pushed  them  to  sites  selling 
fake  security  software,  security  company  Avast  Software 
has  revealed. 

“This  infection  seems  to  be  sticking  like  glue,”  said 


Avast’s  statement  on  the  discovery,  with  the  first  in  what 
will  likely  be  a  long  series  of  glue-themed  jokes  at  Super 
Glue’s  expense.  The  attack  itself-a  redirection  attack 
using  JavaScript  to  send  users  to  a  series  of  third-party 
sites  in  Russia-is  pretty  standard,  but  the  malware 
code  behind  it,  called  JS:Redirector-HX,  appears  to  be 
modestly  trending,  having  been  detected  by  Avast  on 
500  websites  in  a  single  day. 

The  other  thing  that  makes  it  notable  is  the  lack  of 
response  by  the  affected  company.  Days  after  the  mal¬ 
ware’s  discovery,  Super  Glue  seemed  to  still  be  oblivious 
to  the  problem,  thanks  to  an  apparently  disorganised 
chain  of  reporting  between  the  company  and  its  host. 

“Avast  Software  has  informed  Super  Glue  by  email 
and  telephone  about  this  malware.  However,  contact 
details  on  their  site  are  designed  for  customers  and  not 
for  reporting  security  issues,”  read  the  security  alert  put 
out  by  Avast.  -John  E.  Dunn 
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SOFTWARE  VULNERABILITIES 


MICROSOFT’S  GOAL:  KILL  BUGS  DEAD 

Microsoft  eschews  one-off  bug  bounties,  focuses  on  fixing  entire  classes  of  flaws  instead 


Bug-bounty  programs  reward  security  researchers  for  finding 
product  flaws  that  made  it  past  the  vendor’s  quality-control  pro¬ 
cesses.  Some  organizations,  including  Google  and  Mozilla,  have 
had  bug-bounty  programs  in  place  for  awhile  now,  while  the  social 
networking  site  Facebook  just  announced  a  bug-bounty  program  with  a 
base  reward  of  $500. 

Microsoft,  however,  isn’t  interested  in  paying  for  help  with  one-off 
software  vulnerabilities. 

Instead,  the  software  vendor  is  swinging  for  the  fences:  It  aims 
to  exterminate  entire  classes  of  bugs,  with  the  help  of  the  security 
research  community.  That  was  the  message  at  the  Black  Hat  security 
conference  last  month,  where  the  company  announced  its  was  creating 
what  it  calls  the  BlueHat  Prize. 

The  contest  promises  a  first-place 
award  of  $200,000  to  security  research¬ 
ers  who  come  up  with  “a  novel  runtime 
mitigation  technology  designed  to 
prevent  the  exploitation  of  memory 
safety  vulnerabilities.”  Second  prize  will 
be  $50,000. 

Industry  reaction  to  the  BlueHat 
Prize  has  been  mixed.  “It  reframes  the 
nature  of  a  solution  to  the  ongoing 
problem  of  software  vulnerabilities,” 
says  Pete  Lindstrom,  research  director 
at  Spire  Security.  “It’s  a  much  more  scal¬ 
able  way  to  attack  the  problem,  rather 
than  paying  people  to  find  individual  vul¬ 
nerabilities.  That  approach  leaves  many 
more  vulnerabilities  in  applications  for 
the  bad  guys  to  find,”  he  says. 

“Microsoft  has  consistently  resisted 
paying  bug  bounties,  a  position  it  is  at 
some  pains  to  defend  in  light  of  [the 
fact  that]  major  competitors,  including 
Google,  are  willing  to  pay  for  vulner¬ 
abilities,”  says  Scott  Crawford,  managing 
research  director  at  Enterprise  Manage¬ 
ment  Associates.  “The  cynical  point  of  view  would  be  that  the  BlueHat 
Prize  is  something  of  an  end  run  around  Microsoft’s  long-standing 
position,  taking  the  high  road  of  offering  a  reward  for  better  defense,” 
says  Crawford. 

Perhaps  the  BlueHat  Prize’s  unusually  high  reward-other  bug- 
bounty  programs  generally  pay  researchers  several  hundred  to  several 
thousand  dollars  for  finding  one-off  exploitable  software  flaws— will  be 
enough  to  attract  bright  minds  to  the  problem. 

According  to  Microsoft,  winners  will  keep  the  rights  to  their  creation, 
but  it  must  be  licensed  to  Microsoft  without  royalties. 

“We  want  to  make  it  more  costly  and  difficult  for  criminals  to  exploit 


vulnerabilities,”  Katie  Moussouris,  a  senior  security  strategist  lead 
at  Microsoft,  said  at  a  press  conference  during  the  show.  “We  want 
to  inspire  researchers  to  focus  their  expertise  on  defensive  security 
technologies.” 

But  will  the  scheme  work? 

“It  has  a  better  chance  at  solving  some  of  our  major  software  prob¬ 
lems  than  what  we  are  currently  doing  with  bug  finding,”  says  Lindstrom. 

“It  is  a  long-awaited  recognition  by  Microsoft  of  the  value  of  third- 
party  security  research,  and  I  am  encouraged  by  its  focus  on  innovation 
in  building  an  approach  to  security  stronger  than  current  models-a 
philosophy  much  needed  throughout  the  industry.  I  hope  it  attracts  the 
interest  intended  and  Microsoft  is  likely  to  hear  from  a  lot  of  innovators 
with  interesting  ideas,"  says  Crawford. 


John  Pescatore,  a  vice  president  and  security  analyst  at  Gartner, 
says  it’s  a  sign  that  the  software  giant  has  run  out  of  ideas  with  its  Trust¬ 
worthy  Computing  initiative.  “Just  as  open-source  operating  systems 
like  Linux  proved  that  closed-source  operating  system  vendors  like 
Microsoft  don’t  have  a  monopoly  on  programming  talent,  something  like 
this  BlueHat  Prize  is  essentially  Microsoft  saying,  ‘We’ve  spent  hundreds 
of  millions  on  Trustworthy  Computing  over  the  past  8  years,  but  maybe 
someone  out  there  has  some  better  ideas,”’  Pescatore  says. 

“It’s  not  really  a  bad  idea,  though.  They  are  sort  of  doing  what  Google 
has  done  for  several  years  with  their  research  grants.” 

-George  V.  Hulme 


Illustration  by  Carl  Spackler 


September  2011  www.csoonline.com  15 


By  Bob  Violino 


The  Eyes  Have  It 

The  move  to  IP-based  video  surveillance  systems 
continues.  Here’s  what  to  watch  for. 


The  global  economic  down¬ 
turn  is  apparently  having  no 
major  effect  on  the  market  for 
IP  video  surveillance  cam¬ 
eras  and  other  equipment,  as 
sales  remain  strong  worldwide.  Mean¬ 
while,  the  technology  continues  to  evolve, 
and  the  emergence  of  high-definition 
(HD)  video  and  megapixel  resolution  are 
among  the  more  prominent  trends  in  video 
surveillance. 

The  worldwide  market  for  video  sur¬ 
veillance  equipment  grew  more  than  10 
percent  in  2010  compared  with  the  year 
before,  according  to  a  report  released  in 
July  2011  by  U.K. -based  firm  IMS  Research. 
The  report,  “The  World  Market  for  CCTV 
and  Video  Surveillance  Equipment,”  says 
the  growth  was  mainly  driven  by  sales  of 
IP-based  network  video  surveillance  equip¬ 
ment.  IMS  forecasts  that  the  global  network 
security  camera  market  will  exceed  $4  bil¬ 
lion  in  2015. 

While  the  global  analog  video  surveil¬ 
lance  equipment  market  was  relatively 
depressed  in  2010,  the  network  video  sur¬ 
veillance  market  grew  almost  three  times 
as  fast  as  the  total  market  last  year,  by  more 
than  30  percent,  says  Gary  Wong,  senior 
research  analyst  for  video  surveillance  and 
video  content  at  IMS. 

Two  key  factors  contributing  to  the 
decline  of  the  analog  market  are  that  many 
large  enterprises  are  transitioning  to  IP- 
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based  systems,  and  that  price  competition 
and  commoditization  in  the  middle  and  low 
tiers  of  the  analog  surveillance  market  are 
increasing,  IMS  says. 

Network  video  surveillance  growth  con¬ 
tinues  to  be  bolstered  by  stimulus-funded 
projects  and  by  the  increasing  penetration 
of  higher-value  network  video  surveillance 
products,  such  as  HD  cameras,  the  firm 


says.  It  predicts  that  the  growth  of  the  IP 
market  and  the  decline  of  the  analog  market 
will  lead  to  a  transition  by  2014,  with  net¬ 
work  video  overtaking  analog  in  sales. 

Moving  to  IP 

The  traditional  providers  of  video  surveil¬ 
lance  equipment  were  slow  to  embrace  and 
promote  IP  products  in  years  past,  Wong 

Illustration  by  John  Weber 


says.  “However,  these  companies  have  now 
begun  to  quickly  develop  their  portfolios 
of  IP  surveillance  products  and  [are]  gain¬ 
ing  market  share,”  he  says.  He  expects  the 
move  to  IP  to  continue  over  the  next  three 
to  five  years. 

“Axis  [Communications]  and  the  IP  revo¬ 
lution  have  changed  the  face  of  the  old  CCTV 
industry,”  says  Joe  Freeman,  a  security 
industry  consultant  and  president  and  CEO 
of  J.P.  Freeman.  “We  were  Axis’  consultants 
in  their  early  growth  phase,  an  unknown 
up  against  big  names,  and  now  they’re  the 
leader”  of  the  network  video  market. 

Because  Axis  “comes  out  of  the  IT  cul¬ 
ture,  not  security,  [it’s]  forcing  traditional 
leaders  to  copy  [its]  lead  in  many  respects,” 
Freeman  says.  “Axis  is  more  attuned  to  sell¬ 
ing  through  IT  distributors  operating  at 
lower  margins  than  security  distributors,” 
so  users  can  choose  among  multiple  sup¬ 
pliers.  Axis  also  offers  some  hand-holding, 
Freeman  says,  which  helps  security  man¬ 
agers  pick  the  best  system  for  them  and 
understand  all  its  features. 

One  thing  that’s  pushing  buyers  toward 
network  surveillance  is  the  emergence  of 
open  standards  for  IP  cameras,  created 
by  two  industry  groups  formed  in  2008: 
the  Open  Network  Video  Interface  Forum 
(ONVIF)  and  the  Physical  Security  Interop¬ 
erability  Alliance  (PSIA). 

ONVIF  includes  vendors  such  as  Axis, 
Bosch,  Canon,  Sony,  Cisco  and  Panasonic. 
Late  last  year,  the  group  announced  its 
ONVIF  Core  Specification  2.0,  which  cov¬ 
ers  video  storage  devices,  video  analytics 
engines,  cameras  and  encoders. 

PSIA’s  members  include  Honeywell, 
IBM,  Stanley  Security  Solutions,  Samsung 
and  Texas  Instruments.  In  March,  PSIA 
unveiled  the  final  pieces  of  its  security 
suite  of  specifications,  and  several  ven¬ 
dors  demonstrated  products  that  use  PSIA 
specifications. 

“Open  standards  like  ONVIF  and  PSIA 
create  a  level  of  interoperability”  between 
systems  that  had  been  proprietary,  Wong 
says.  “These  standards  should  make  it  eas¬ 
ier  for  more  manufacturers  to  access  the 
video  surveillance  market.” 

For  organizations  using  video  surveil¬ 
lance  cameras,  the  availability  of  IP-based 
systems  has  helped  bolster  security. 

The  Hillsborough  County  Sheriff’s 
Office  (HCSO)  in  Tampa,  Fla.,  two  years  ago 


began  a  move  to  all  IP  surveillance  cameras, 
and  to  date  has  installed  about  350  IP  cam¬ 
eras  from  Axis,  says  Craig  McEntyre,  man¬ 
ager  of  the  business  support  bureau  and 
project  management  office  at  HCSO. 

By  the  end  of  this  year,  HCSO  expects 
to  have  more  than  600  IP  surveillance  cam¬ 
eras  in  use,  McEntyre  says,  and  it  will  pur¬ 
chase  as  many  as  2,000  over  the  next  three 
to  five  years. 

The  majority  of  the  cameras  HCSO  uses 
today  are  analog— only  about  20  percent  of 
its  cameras  are  IP-based.  But  that  ratio  will 
shift  as  the  organization  migrates  to  IP  and 
phases  out  its  older  analog  cameras. 

HCSO’s  foray  into  IP-based  surveillance 
began  when  it  used  a  Justice  Department 
grant  to  buy  20  cameras  for  law  enforce¬ 
ment  investigation,  monitoring  activity  and 
emergencies  in  high-crime  areas. 

After  an  RFP  process,  the  sheriff’s  office 
awarded  a  contract  to  Site  Secure,  a  systems 
integration  firm,  and  Avrio  RMS,  a  surveil¬ 
lance  integrator  with  municipal  surveil¬ 
lance  expertise.  They  developed  a  wireless 
surveillance  system  that  funneled  video 
data  back  to  district  headquarters  without 
expensive  cabling. 


Later,  HCSO  replaced  a  set  aging  of  ana¬ 
log  surveillance  cameras  with  IP  cameras 
in  four  of  its  district  office  buildings,  and 
it’s  now  using  IP  cameras  in  sections  of  two 
of  the  jails  it  operates,  as  well  as  in  a  vehicle 
storage  lot. 

It  has  also  deployed  cameras  in  several 
rooms  that  are  used  to  interview  crime  sus¬ 
pects,  where  the  archived  video  footage  is 
usable  as  evidence  in  court. 

In  implementing  IP  cameras,  HCSO  was 
able  to  leverage  its  existing  network,  which 
supports  voice  and  data  communications. 
McEntyre  says  the  network  has  sufficient 
bandwidth  to  handle  the  various  types  of 
traffic  simultaneously  without  degrading 
quality. 

One  of  the  key  benefits  of  IP  is  that  it 
provides  improved  video.  “The  quality  of 
the  images  is  way  better  than  what  we  saw 


with  analog,”  McEntyre  says.  Because  the 
cameras  are  on  a  network,  HCSO  can  man¬ 
age  them  remotely. 

Another  benefit  is  the  ability  to  easily 
conduct  detailed  searches  of  archival  video. 
“When  we  view  back  video  we  can  set  book¬ 
marks,  so  we  can  go  straight  through  [to 
particular  content]  instead  of  taking  hours 
to  go  through  a  recording,”  McEntyre  says. 

HCSO  has  centralized  storage  for  IP 
video  in  its  data  center.  The  organization 
is  using  a  combined  server  and  storage 
platform  from  Pivot3  called  CloudBanks  to 
store  captured  video  images  and  host  the 
video  management  system  software. 

The  scalable  nature  of  the  Pivot3  sys¬ 
tem  ensures  it  can  handle  the  demands  of 
incoming  video  streams  and  support  grow¬ 
ing  volumes  of  video  data. 

HCSO  needs  to  capture  surveillance 
data  at  all  times,  and  the  Pivot3  platform 
provides  application  failover  to  prevent  the 
loss  of  captured  video,  McEntyre  says. 

Not  all  companies  have  embraced  the 
move  to  IP  cameras  for  video  surveillance. 
Walz  Group,  a  communications  and  com¬ 
pliance  technology  services  provider,  uses 
analog  cameras  along  with  IP-based  digi¬ 


tal  video  recorders  from  Nuvico.  Among 
the  key  factors  that  the  company  consid¬ 
ered  when  selecting  its  video  surveillance 
system  about  a  year- and- a-half  ago  were 
whether  it  had  high-capacity  digital  video 
recording  (DVR)  units  that  could  provide 
for  at  least  a  90-day  or  longer  video  log  and 
records  retention. 

Walz  also  wanted  low-lux  cameras  that 
provide  for  fairly  effective  object  recog¬ 
nition  at  night;  high-image-quality  play¬ 
back  of  the  90-day  video  logs  and  records; 
centralized  video  surveillance  systems 
management;  role-based  access-control 
features;  and  options  for  easy  expansion  so 
the  company  could  provide  video  surveil¬ 
lance  across  a  growing  campus. 

Walz  executives  didn’t  think  the  added 
capabilities  of  IP  video  and  megapixel  reso¬ 
lution,  such  as  more  detailed  images,  justi- 


One  thing  that’s  pushing  buyers  toward 
IP  cameras  is  the  emergence  of  open 
standards  for  IP  video  surveillance. 
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tied  the  higher  cost  of  the  cameras,  says 
CISO  Bart  Falzarano.  “With  what  we’re  try¬ 
ing  to  identify,  it  didn’t  require  that  we  [be 
able  to]  read  something  on  a  document  that 
someone  is  holding,  or  something  that’s 
written  on  a  T-shirt,”  Falzarano  says. 

The  firm  mainly  wanted  to  use  surveil¬ 
lance  cameras  to  identify  personnel  in  or 
near  sensitive  areas  or  entering  buildings, 
which  could  be  provided  effectively  by  less 
expensive  analog  cameras.  On  top  of  the 
added  cost  of  the  cameras  if  Walz  had  opted 
for  IP,  the  company  would  need  to  config¬ 
ure  a  dedicated  virtual  LAN  so  video  traffic 
would  not  affect  data  and  voice  traffic. 

“We’d  have  to  get  involved  with  addi¬ 
tional  networking  configuration  issues,” 
such  as  segregating  the  video  traffic  from 
voice  and  data  to  ensure  the  quality  of  all 
three,  Falzarano  says.  “If  you  prioritize 
data,  then  you  might  have  video  quality 
problems,”  he  says. 

“Available  bandwidth  and  establishing 
[the]  proper  class  of  service  for  each  traf¬ 
fic  type  of  voice,  video  and  data  needs  to  be 
considered  when  implementing  a  full  IP 
video  system.” 

One  important  capability  of  the  video 
surveillance  system  Walz  uses  is  built-in 
motion  sensing  with  pre-alarm  and  post¬ 
alarm  recording,  which  means  the  cam¬ 
eras  are  only  recording  when  they  detect 
movement.  This  conserves  disk  capacity, 
Falzarano  says. 

Megapixel  Gains  Ground 

In  terms  of  product  innovation,  “there  has 
not  been  any  significant  new  technology 
introduced  in  the  IP  surveillance  cameras 
market  in  the  last  12  months,”  Wong  says. 
“The  major  ongoing  technology  trend  is 
HD  and  megapixel  resolution.  Increasingly, 
manufacturers  are  beginning  to  transition 
their  IP  camera  product  lineups  from  stan¬ 
dard  definition  to  HD  and  megapixel  reso¬ 
lution  cameras.” 

For  organizations  that  deploy  IP  sur¬ 
veillance  cameras,  the  higher  definition  and 
megapixel  resolution  will  mean  even  better 
image  quality.  “It  provides  end  users  with 
a  more  compelling  reason  to  switch  from 
traditional  analog  video  to  IP  video,”  Wong 
says,  because  there  will  be  a  more  signifi¬ 
cant  difference  in  resolution. 

The  move  to  megapixel  “is  clearly  a 
trend,”  Freeman  adds.  “It  not  only  provides 


greater  detail  for  identification,  it  opens  the 
door  for  security  cameras  to  enter  non¬ 
security  markets  requiring  observation  and 
even  automatic  control.” 

Factories  that  use  quality  and  assurance 
inspectors  to  watch  products  coming  off  the 
line  can  now  convert  to  megapixel  cameras 
to  reduce  overhead  costs,  Freeman  says. 

Wong  expects  most  IP  camera  manu¬ 
facturers  to  begin  to  transition  a  large  por¬ 
tion  of  their  existing  product  lines  away 
from  standard  definition  to  HD  in  the 
coming  months.  The  move  to  HD  will  defi- 

The  move  to  HD  will 
definitely  affect  IP 
camera  pricing. 

nitely  affect  IP  camera  pricing. 

“In  general,  the  average  selling  price  for 
IP  cameras  has  remained  relatively  stable 
over  the  last  two  years,”  Wong  says.  “The 
manufacturer-driven  shift  from  standard 
definition  to  HD  and  megapixel  resolution 
IP  cameras  will  make  the  [average  selling 
price]  rise  in  developed  markets  in  the  next 
two  [to]  three  years.”  He  would  not  say  how 
much  he  expects  prices  to  increase. 

McEntyre  says  HCSO  has  begun  imple¬ 
menting  a  limited  number  of  HD  cameras, 
which  he  says  can  cover  more  area  than  a 
standard-definition  camera.  Because  of  the 
higher  cost,  however,  he  does  not  expect  a 
huge  move  to  HD  anytime  soon. 

“We  budget  our  own  security  from  tax 
dollars,  so  we  try  to  get  the  best  bang  for  the 
buck  wherever  possible,”  McEntyre  says. 

Another  technology  development  in 
the  industry  concerns  video  compression 
algorithms. 

Wong  says  IMS  Research  has  seen  a 
strong  shift  toward  H.264  as  the  preferred 
compression  type  over  the  last  12  months. 
“The  increasing  demand  for  HD  and  mega¬ 
pixel  resolution  cameras  will  drive  the 
adoption  of  H.264  and  H.264  SVC  [scalable 
video  coding].” 

H.264  is  used  for  technologies  such  as 
Blu-ray  discs,  streaming  Internet  video, 
Web  software  such  as  the  Adobe  Flash 
Player  and  Microsoft  Silverlight,  broadcast 
services,  cable  and  direct-broadcast  satel¬ 
lite  TV,  and  real-time  videoconferencing. 


“The  trend  of  course  is  [for]  more  and 
better  algorithms,”  Freeman  says.  “The 
problem  is  that  the  more  you  ask  your  soft¬ 
ware  to  do  in  terms  of  event  [identification] 
and  classification,  the  greater  the  prob¬ 
ability  that  it  will  not  do  any  one  function 
well.  This  would  argue  for  a  high  level  of 
concentration  on  just  well-targeted  alarm 
conditions,  such  as  license  plate  reading 
and  untended  bags,  for  example,  in  any 
one  software  package  or  chip.  It’s  not  easy 
to  do,  however,  since  suppliers  of  multi¬ 
function  intelligent  video  software  have  an 
easy  sales  argument  against  those  single-  or 
dual-function  software  or  chips.” 

Freeman  expects  to  see  the  emergence 
of  new  software  features  on  IP  video  cam¬ 
eras  that  increase  their  functionality. 

“The  idea  of  onboard  features  is  [power¬ 
ful]  since  it  lends  itself  to  simplicity,  which 
the  security  user  desires  as  much  as  pos¬ 
sible,”  Freeman  says.  “If  the  camera  can 
handle  vision,  editing,  storage,  [and]  even 
a  user  instruction  as  to  which  enforcement 
procedure  to  use— you’ve  got  a  powerful 
security  device.  We  believe  that’s  the  long¬ 
term  outlook.” 

Another  big  trend  that  will  affect  the 
market  is  cloud  computing.  “The  cloud 
will  in  many  ways  obviate  the  need  for  old 
DVRs  and  NVRs  [network  video  record¬ 
ers],”  Freeman  says. 

Companies  are  rolling  out  cloud-based 
services.  For  example,  Axis  has  a  hosted 
video-surveillance-as-a-service  offer¬ 
ing  that  is  enabled  by  cloud  computing. 
Organizations  with  an  Axis  camera  and 
Internet  access  can  use  the  service  on  an 
on-demand  basis. 

How  can  organizations  make  decisions 
about  which  of  the  emerging  camera  and 
video  options  is  best?  In  addition  to  weigh¬ 
ing  the  costs  and  determining  how  the 
equipment  will  be  used,  it’s  a  good  idea  to 
keep  tabs  on  what  others  are  doing. 

“It’s  important  for  [user  organizations] 
to  have  a  reliable  grapevine  of  other  users,” 
Freeman  says.  They  could  benefit  from 
meeting  with  local  companies  that  use  other 
systems  so  they  can  compare  notes.  “In  the 
end,  every  user  is  looking  for  the  most  func¬ 
tional  and  reliable  equipment.”  ■ 


Bob  Violino  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com. 
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SHUT  THE  DOOR  ON  DATA  THEFT 


Another  day,  another  breach.  And  it’s  not  just  the  big  guys  losing  data  anymore.  Cybercriminals  are 
now  using  advanced  attacks  to  steal  data  from  companies  of  every  size.  How?  They  exploit  the 
gaps  in  your  traditional  defenses  to  infect  your  systems  with  malware  and  exfiltrate  your  valuable 
data.  Websense®  TRITON™  security  protects  against  threats  coming  in  through  the  web  and  email, 
and  stops  data  from  leaving  when  it  shouldn’t. 


Learn  more  at  www.websense.com/advanced_attacks 


©2011  Websense,  Inc.  All  rights  reserved.  Websense  and  the  Websense  logo  are 
registered  trademarks  and  TRITON  is  a  trademark  of  Websense,  Inc.  in  the  U.S. 
and  various  countries. 
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Data  Security  via 
Desktop  Virtualization 

By  centralizing  virtual  desktops  and  data,  companies  can  protect 
sensitive  information  while  giving  users  more  flexibility  and  choice. 


What  are  the  main  security  "pressure 
points"  corporate  and  government 
organizations  face  today? 

The  top  three  are  the  consumerization  of  IT, 
cloud  computing  and  a  wildly  evolved  threat 
landscape.  Consumers  today  are  bringing  their 
own  devices  into  the  workforce,  selecting  their 
own  applications  and  making  other  decisions 
that  IT  departments  used  to  make.  Consumer¬ 
ization  changes  fundamental  security  assump¬ 
tions  and  really  shakes  the  foundation  that 
IT  security  has  been  built  upon.  As  for  cloud 
computing,  the  fearmongers  who  state  that 
the  cloud  is  the  end  of  security  are  wrong.  The 
cloud  can  give  us  a  needed  restart  to  do  secu¬ 
rity  right— taking  into  account  how  people  are 
using  today’s  computing  technologies  while 
protecting  sensitive  data  and  privacy.  Finally, 
on  the  threat  landscape,  we’re  seeing  that  cur¬ 
rent  attempts  at  data  exfiltration  are  highly  suc¬ 
cessful.  The  old  security  model  that  protects 
primarily  against  malicious  access  attempts  is 
woefully  inadequate  to  mitigate  vulnerabilities 
once  access  has  been  granted. 

What  is  desktop  virtualization,  and  how 
can  it  increase  IT  security? 

With  desktop  virtualization,  you  can  take  a 
familiar  desktop  PC  or  laptop  environment, 
virtualize  all  its  applications  and  the  desktop 
interface  itself  and  run  everything  on  server- 
based  virtual  machines  in  the  data  center  or  in 
the  cloud.  Users  can  then  access  their  virtual¬ 
ized  desktops  with  various  client  devices, 
including  PCs,  tablets  and  smartphones.  Every 
user  can  be  strongly  authenticated  into  the 
virtualized  desktop  environment.  All  data  that 
goes  back  and  forth  between  the  client  devices 
and  any  virtualized  desktops  or  applications  is 
natively  encrypted.  Along  with  that,  every¬ 
thing— including  transactions  and  access— is 
completely  logged. 

One  of  the  primary  advantages  of  desktop 
virtualization  is  its  ability  to  keep  sensitive 
data  in  the  data  center.  Data  owners  can  ensure 
consistency,  backup,  disaster  recovery,  avail¬ 
ability  and  the  ability  to  make  endpoint  storage 


of  sensitive  data  irrelevant.  This  eliminates  a 
common  point  of  loss  and  the  need  for  breach 
notification  if  somebody  loses  their  device. 
Moreover,  offline  and  local  compute  usage 
models  are  available  that  enable  both  seamless 
access  to  public  data  and  strong  protection  of 
sensitive  data. 

How  can  the  deployment  of  desktop 
virtualization  simplify  and  enhance  the 
job  of  security  professionals? 

With  distributed  computing,  IT  had  no  idea 
of  what  sensitive  data  was  on  somebody’s  lap¬ 
top,  so  it  had  to  manage  every  laptop  as  if 
it  had  sensitive  data.  With  virtualization  in 
place,  security  measures  and  policies  ensure 
that  data  access  and  distribution  are  appro¬ 
priate  to  risk.  Security  managers  can  define 
policies  that  are  very  granular  to  make  sure 
everything  is  encrypted  and  continually 
monitored.  Data  leakage  protection  (DLP) 
and  other  advanced  security  measures  can  be 
enabled  for  a  particularly  sensitive  applica¬ 
tion  simply  through  integration  of  DLP  into 
the  data  center— without  the  need  to  install  a 
data  leakage  client  on  everybody’s  personal 
device.  By  centralizing  the  data,  the  desktops 
and  the  applications,  IT  can  focus  on  watching 
the  vault,  as  opposed  to  having  to  watch  for  all 
sensitive  resources  on  all  the  computers  that 
could  potentially  access  it. 

How  can  the  deployment  of  desktop 
virtualization  benefit  employees  and 
other  consumers  of  corporate  data  and 
applications? 

Desktop  virtualization  removes  the  need  for 
all  consumers  to  be  their  own  IT  manager  and 
their  own  security  officer.  By  automating  data 
protection  and  freeing  users  from  mundane 
and  time-consuming  data  management  re¬ 
sponsibilities,  desktop  virtualization  makes  for 
greater  productivity  and  happier  users.  It  gives 
them  more  freedom  of  choice  to  use  multiple 
devices  and  also  enables  “workshifting,”  the 
ability  to  work  anywhere,  from  any  device  and 
in  any  situation.  Securely. 


Free  your  workforce.  Control  what  matters. 


Work  anywhere.  On  any  device.  We  call  that  virtual  computing. 

And  it’s  driven  by  virtualization  technologies  that  give  you  both 


freedom  and  control.  Virtual 

computing  frees  users  and  IT 
from  the  limitations  of 

the  traditional 
computing  model.  Give  IT 
control  over  what 
truly  matters-delivering 
desktops,  applications 
and  data.  Securely, 

Say  yes  to  users  who  need 
to  work  whenever,  on  any  device  they  choose. 

Experienpe  the  power  of  virtual  computing, 

Simplicity  is  power.  Citrix. 


CITRIX 


Citrix.com/SimplicitylsPower 


©  201 1  Citrix  Systems,  Inc.  All  rights  reserved.  Simplicity  is  Power  and  its  stylized  treatment  are  trademarks  of  Citrix  Systems,  Inc. 


COVER  STORY  |  INTEGRATED  SYSTEMS 


A  decade  after  9/11,  Louis  Barani  of  the  new 
World  Trade  Center  is  designing  a  situational 
awareness  system  that  reflects  on  the  past 
for  future  protection  by  joan  goodchild 

THERE  IS  PERHAPS  NO  IMAGE  OF  SECURITY  MORE  STRIKING  than  the  site  of 
the  World  Trade  Center  in  New  York  City.  It  was  the  scene  of  a  terrorist  bombing  in  1993  that 
killed  six  people  and,  ten  years  ago,  the  epicenter  of  an  attack  that  changed  the  world  forever. 

The  events  of  September  11, 2001,  marked  the  end  of  security  as  we  all  had  known  it,  and  the 
beginning  of  an  era  that  now  includes  intense  checks  at  airports,  amplified  scrutiny  for  those 
who  want  to  travel  across  borders,  a  major  focus  on  national  security,  and  more  emphasis 
within  organizations  on  mitigating  risk  and  evaluating  how  well  they  are  protected.  Difficult 
lessons  were  learned  at  the  World  Trade  Center  on  September  11, 2001. 

And  now,  from  an  office  19  floors  above  the  site,  Louis  Barani  oversees 
the  construction  and  design  of  a  security  system  that  heeds  those  les¬ 
sons  and  will  take  the  new  World  Trade  Center  into  the  future. 

Barani,  a  naval  veteran  who  has  25  years  of  government  and 
private -sector  experience  in  security-risk  management  and  critical- 
infrastructure  protection,  was  brought  in  to  be  World  Trade  Center 
Security  Director  after  working  at  the  Port  Authority’s  Office  of  Emer¬ 
gency  Management  as  general  manager  for  security  programs.  He  was 
charged  with  bringing  together  a  disparate  set  of  security  and  build¬ 
ing-management  systems,  as  well  as  the  many  stakeholders  involved  in 
the  process  of  developing  security  for  what  is  possibly  one  of  the  most 
talked- about  redevelopments  in  the  world.  When  the  redesigned  and 
reconstructed  site  is  finally  opened,  it  will  comprise  five  new  skyscrap¬ 
ers,  the  National  September  11  Memorial  and  Museum,  a  transportation 
hub,  a  retail  complex  and  a  performing  arts  center. 

“The  conditions  on  the  site  are  separate  and  distinct  stakeholders 
and  components,”  says  Barani.  “The  five  towers,  the  memorial  and 
museum,  the  transportation  hub,  underground  roadway,  network, 
vehicle  security  center— they  all  have  different  security  and  building- 
management  systems,  and  all  are  controlled  by  their  own  operations 
and  security  command  centers.  What  we  needed  to  accomplish  was  sit¬ 
uational  awareness  for  the  entire  site  to  coordinate  responses  to  events 


Construction  began  in  2006;  the  center  will 
include  five  skyscrapers  and  underground 
reflecting  pool  memorials  on  the  exact 
locations  of  the  Twin  Towers. 
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that  could  have  a  negative  impact.”  opment  driver.  This  way  we  can  correlate  information  from  the 

And  that  is  what  Barani  is  now  developing.  An  event-  and  event  and  the  identity  and  have  a  better  situational  awareness.” 

identity-management  system  he  refers  to  as  a  Situational  Aware-  Barani  explains  that  the  identity- management  piece  might  come 

ness  Platform.  The  system  will  overlay  security  and  building- man-  into  play  if,  for  example,  an  employee’s  access  card  is  stolen  or  lost, 

agement  systems  (BMS)— including  access  control;  CCTV;  alarm;  If  someone  steals  a  card  and  is  trying  to  get  into  a  critical  area,  such 

fire;  chemical,  biological,  radiological  and  nuclear  (CBRN)  defense;  as  a  closet  containing  sensitive  assets,  a  central  chiller  plant,  or  a 

HVAC;  elevator  control;  and  visitor  management— and  fuse  and  critical  electrical  area,  it  will  generate  a  single  alarm.  But  if  there 

correlate  information  from  them  to  create  that  situational  aware-  are  multiple  attempts  made  using  that  card,  it  will  be  flagged  by  the 

ness.  It  will  give  Barani  and  his  team  information  about  events,  system  because  it  does  not  clear  a  threshold  of  acceptability, 

conditions  and  even  identities  that  can  be  used  by  law  enforcement  “We  will  know  someone  is  trying  to  access  critical  areas  at  dif- 
and  fire  and  life  safety  crews  as  needed.  ferent  locations,”  says  Barani.  “Then  we  bring  in  the  identity- man- 

“We  had  to  find  a  way  to  generate  as  much  information  as  pos-  agement  portion  of  it  and  see  if  the  person  we  observe  through  the 

sible,  fuse  it,  correlate  it  and  bring  it  into  one  location,”  explained  CCTV  is  actually  the  one  using  the  card.  If  it’s  not,  we  have  a  law 
Barani.  “We  took  two  products— event-management  and  identity-  enforcement  situation.  If  it  is  someone  with  access  and  they  are  try- 

management  products  from  VidSys  and  Quantum  Secure— and  ing  to  probe  certain  areas,  we  also  know  how  to  respond.” 

developed  an  integration  between  them  with  a  single  rules-devel-  The  access-card  example  is  a  simple  scenario,  but  the  situ¬ 
ational  awareness  system  would  also  be 
critical  in  the  event  of  a  large-scale  or,  as 
Barani  refers  to  it,  a  Mumbai-style  attack:  a 
scenario  involving  several  attackers  trying 
to  harm  people  and  buildings. 

“In  a  dynamic  situation  with  multiple 
attackers  and  responding  agencies,  we  need 
to  know  where  the  good  guys  are,  where  the 
bad  guys  are,  and  what  they  are  doing.  With 
this  system,  we  have  immediate  access  to 
information  like  where  attackers  are  located 
through  multiple  access-control  and  CCTV 
systems.  We’ll  have  access  to  information 
from  the  BMS  system  and  HVAC  system 
to  tell  fire  department  representatives  that 
this  is  status  of  the  fire,  these  are  the  points 
of  alarm,  and  this  is  the  area  where  the  fire 
suppression  system  has  deployed,  these  are 
the  floor  plans  of  where  the  fire  is,  this  is 
the  floor  above  and  below,  this  is  the  status 
of  the  stair  pressurization,  this  is  what  the 
elevator  system  is  doing,  here’s  what  the 
evacuation  looks  like  in  lobby.” 

The  system  also  provides  information 
from  a  CBRN  system  and  sensors  that  can 
collect  information  in  the  event  of  a  chemi¬ 
cal,  biological  or  radiological  threat  or 
attack. 

“We  worked  with  NYPD  to  determine 
which  agents  they  were  most  concerned 
about  and  developed  a  systems  design 
based  on  that.  Based  on  the  makeup  of  the 
agent  and  the  prevailing  winds,  we  can 
determine  strategies  like  sheltering  in  place, 
evacuating  buildings,  and  informing  our 
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The  south  pool  waterfall,  part  of  the  National 
September  11  Memorial  and  Museum  at  the 
World  Trade  Center  site. 


Photo  by  Reuters/Mike  Segar 


Bringing  together 
the  various  entities 
involved— agencies, 
fire  and  police,  private 
stakeholders— has 
been  no  small  feat. 

neighbors  in  the  area  of  ongoing  response  protocols.” 

Despite  the  convergence  of  information,  each  property  will  still 
operate  its  own  distinct  security  and  building-management  opera¬ 
tion.  Each  will  act  autonomously,  with  a  security  command  and 
operations  center  that  includes  guards  and  monitoring.  Stakehold¬ 
ers  will  be  provided  access  to  the  situational  awareness  platform 
information.  Police  and  fire  officials  will,  too. 

Bringing  together  the  various  entities  involved— agencies,  fire 
and  police,  private  stakeholders— has  been  no  small  feat,  says 
Barani. 

“The  biggest  challenge  is  education,”  he  says.  “As  far  as  I  know, 
this  has  never  been  done  before,  never  attempted  on  a  scale  this 
big.  It  would  be  easier  if  it  were  just  the  Port  Authority  involved, 
but  there  are  commercial  stakeholders  at  the  site.  There  are  the  city 


agencies,  NYPD  and  FDNY.  There  are  stakeholders  outside  the  site 
that  have  just  as  much  at  stake  if  we  get  attacked.  The  toughest  part 
is  educating  these  stakeholders  and  getting  this  information  out  to 
the  point  where  they  see  this  will  benefit  everyone,  as  a  group  with 
common  security  needs  for  lower  Manhattan.” 

But  the  cooperation  is  there,  he  says.  And  he  is  pleased  with 
the  progress  he  has  made.  The  situational  awareness  platform,  he 
notes  proudly,  is  being  talked  about  elsewhere,  including 
among  Port  Authority  officials,  who  are  contemplating  taking  it 
agencywide. 

“We  are  developing  actionable  information  so  that  first  respond¬ 
ers  can  respond  with  as  much  information  of  the  situation  as  can 
be  generated  from  diverse  systems  at  multiple  locations  through 
the  development  of  scenario-based  rules,  and  that’s  the  key.  For 
example,  we  have  over  4,000  cameras  here.  To  actively  monitor 
that  would  be  impossible.  The  basis  of  the  [Situational  Awareness 
Platform],  why  it’s  so  powerful,  is  that  we  can  reach  out  through  the 
API  and  retrieve  the  information  we  need  based  on  rules  that  we 
develop  for  that  specific  situation.  We  don’t  have  to  monitor  every 
single  camera  on  the  site,  every  alarm.  We  have  to  get  the  infor¬ 
mation  in,  correlate  and  fuse  it  and  disseminate  it  in  a  coordinated 
fashion.  With  this  system,  we  are  able  to  do  that.”  ■ 


Contact  Senior  Editor  Joan  Goodchild  at  jgoodchild@cxo.com. 
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Caterpillar  CSO  Tim  Williams  and  his  team  share 
five  keys  to  creating  a  collaborative,  efficient 
security  operation  By  Lauren  Gibbons  Paul 
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or  a  security  industry  leader, 
Tim  Williams  is  a  pretty  mod¬ 
est  guy.  As  the  former  head  of 
ASIS  International  and  now 
as  global  security  director  for  the  $42.5  bil¬ 
lion  construction  equipment  manufacturer 
Caterpillar,  Williams  has  won  his  share  of 
recognition,  which  he  doesn’t  take  lightly. 

But  Williams  would  much  rather  tell 
you  about  his  team— the  individuals  and 
their  accomplishments —than  about  him" 
self.  His  speech  is  strikingly  devoid  of  the 
first-person  singular.  He  declines  to  be  pho¬ 
tographed  by  himself  for  articles  about  his 
security  work,  saying  his  team  members 
deserve  the  credit. 

Creating  and  sustaining  team  spirit 


are  clearly  strong  suits  for  Williams,  who 
joined  Caterpillar  in  2006  after  leadership 
stints  at  Nortel,  Boise  Cascade  and  Procter 
&  Gamble.  In  a  home-office-centric  culture 
that  valued  longevity  with  the  business, 
he  quickly  set  about  assembling  a  team 
that  would  embody  the  precepts  of  what 
he  calls  contemporary  enterprise  security 
risk  management  (ESRM).  Here  are  the  top 
five  things  he  did  to  revitalize  the  team  and 
mitigate  risks  across  the  entire  enterprise: 

1  Rethink  everything.  After  tak¬ 
ing  stock  for  a  few  weeks  of  how 
the  then-56-person  security  team 
operated,  Williams  moved  swiftly 
to  establish  a  global  team  focused 


on  ESRM.  ESRM  takes  a  holistic  view  of 
the  risks  to  people,  networks  and  intellec¬ 
tual  property.  Williams  felt  Caterpillar  had 
some  exposure  that  needed  to  be  addressed 
immediately.  Two  pressing  issues:  The 
security  team  had  been  based  almost  exclu¬ 
sively  at  headquarters  in  Peoria,  Ill.,  and 
Williams  felt  there  had  been  an  unusual 
focus  on  physical  security. 

“We  pushed  the  physical  security 
responsibility  back  to  property  managers 
around  central  Illinois.  We  changed  the 
outsourced  partner  and  we  established 
relationships  out  in  the  facilities  with 
people  who  could  manage  the  opportu¬ 
nity  much  more  closely,”  says  Williams. 
He  established  regional  security  directors 


Caterpillar’s 
team  emphasizes 
business  skills,  great 
communication, 
and  openness  to 
dissenting  ideas 
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globally,  covering  Asia,  Europe  and  the 
Middle  East,  and  the  Americas.  “We  were 
able  to  attract  some  of  the  best  talent  in  the 
market  at  the  time.  They  had  the  language 
capabilities  and  the  cultural  competency,” 
he  says. 

Many,  like  Graham  Giblin,  now  regional 
security  director  for  Europe,  the  Middle 
East  and  Africa,  had  lived  in  the  areas  they 
cover.  For  a  company  that  had  had  a  “Peo¬ 
ria  first”  mentality,  this  was  a  big  departure. 
“Our  internal  focus  transitioned  to  a  global 
focus,”  Giblin  says. 

Williams  wrote  a  three-year  operating 
plan  detailing  the  revamped  group’s  stra¬ 
tegic  vision  and  alignment  with  corporate 
objectives,  roles  and  responsibilities.  Wil¬ 
liams’  work  at  P&G  gave  him  a  deep  and 
abiding  love  of  precise  process  management, 
which  served  him  well  as  he  restructured 
the  team. 

“If  you  don’t  have  your  processes  clearly 
defined  in  a  well-written  strategy  or  oper¬ 
ating  plan,  you  could  end  up  chasing  what 
other  groups  believe  your  priorities  are,  ver¬ 
sus  those  issues  that  actually  pose  the  great¬ 
est  risk  or  threat  to  the  enterprise,”  Williams 
says.  “We  articulated  our  plan  to  other  staff 
groups,  business  leaders,  and  our  executive 
management  and  the  board,  obtained  agree¬ 
ment,  and  then  set  out  to  urgently  execute 
the  plan.” 

Not  everyone  made  the  transition. 
“Many  of  our  colleagues  wanted  us  to  return 
back  to  what  we  did  before— the  global  role 
was  not  one  they  were  prepared  for  or 
found  interest  in,”  says  Williams.  There 
were  also  those  who  could  not  perform  as 
the  bar  was  raised.  In  all,  the  security  func¬ 
tion  shed  more  than  half  its  original  group. 
Happily,  many  found  other  roles  within  the 
company. 

Moving  so  quickly  and  making  major 
reductions  caught  the  culture  a  bit  by 
surprise.  To  ease  the  transition,  Williams 
enlisted  the  aid  of  a  few  human  resources 
specialists  and  an  internal  communicator 
(who  is  discussed  in  Step  4)  to  help  people 
understand  what  was  happening  and  why. 


Formalize  underserved  func¬ 
tions.  Soon  after  he  arrived, 
Williams  put  in  place  global  cri¬ 
sis-management  processes  and 
personnel  as  part  of  his  effort 
to  re-engineer  enterprise  security.  These 


processes  were  to  be  overseen  by  the  newly 
minted  regional  security  directors. 

Todd  Wagner  was  working  in  com¬ 
puter  forensics  for  Caterpillar  when  he  was 
recruited  to  crisis  management.  “We  didn’t 
have  a  formal  group  at  that  time,”  he  says. 
“We  now  handle  any  crises  that  may  impact 
Caterpillar— everything  from  natural  disas¬ 
ters  to  terrorism  to  major  disruptions  in 
our  supply  chains.”  Wagner  brought  expe¬ 
rience  as  a  shift  commander  for  the  FBI’s 
Terrorism  Command  Center  to  his  new  role 
as  crisis  coordinator  for  Caterpillar. 

The  crisis-management  team  had  to 
mobilize  to  support  local  staff  in  Japan  dur¬ 
ing  the  March  earthquake  and  tsunami. 
Caterpillar  immediately  dispatched  a  cri¬ 
sis  manager  to  the  area.  “Our  first  priority 
was  to  make  sure  our  people  are  safe,”  says 
Wagner.  Caterpillar  has  5,ooo-odd  employ¬ 
ees  at  three  Japanese  facilities,  the  closest  of 
which  is  a  little  over  100  miles  from  the  site 
of  the  disaster,  outside  the  evacuation  zone. 

“Anytime  we  have  a  situation  like  that, 
we  locate  travelers,  expatriates  and  local 
employees  and  make  sure  they’re  safe,” 
says  Wagner.  Caterpillar  has  internal  pro¬ 
grams  to  track  business  travelers.  “We 
don’t  stop  until  we  get  through  to  them  and 
can  confirm  they  are  safe.  If  we  couldn’t  do 
that,  we  would  go  to  the  local  authorities. 
We  also  work  with  a  local  company  that 
has  boots  on  the  ground  that  can  help  us 
track  the  person  down.  We  might  even  send 
someone  out  to  knock  on  the  door  of  their 
hotel  or  house.”  All  Caterpillar  person¬ 
nel  and  family  members  were  ultimately 
accounted  for. 

So  far  the  company  has  held  off  pulling 
its  people  out  of  the  disaster  zone,  but  Wil¬ 
liams,  Wagner  and  the  rest  of  the  team  are 
monitoring  the  situation,  including  radia¬ 
tion  levels,  closely,  checking  in  daily  with 
the  Caterpillar  VP  in  Japan.  Production  has 
been  reduced  but  not  halted  by  the  crisis. 

Ironically,  just  before  the  natural  disas¬ 
ter  struck  Japan,  Wagner  attended  a  state¬ 
wide  disaster-preparedness  exercise  run 
by  the  Department  of  Homeland  Security. 
“We  did  a  tabletop  exercise  involving  an 
earthquake  on  the  New  Madrid  fault  line 
[in  Illinois].  We  have  dealt  with  tsunamis. 
The  new  piece  was  the  nuclear  fallout.” 

Now  nuclear  catastrophe  takes  its  place 
on  the  spectrum  of  risks  facing  Caterpillar 
employees,  wherever  they  may  be. 


3  Demand  proven  business  skills. 

Karen  Frank  remembers  the 
day,  early  in  Williams’  tenure  as 
CSO,  when  he  called  an  all-staff 
meeting  to  tell  everyone  they 
should  seriously  consider  getting  an  MBA 
if  they  had  not  already  done  so.  “I  had  never 
thought  of  it,”  says  Frank,  brand  protection 
and  investigations  manager. 

She  decided  to  take  advantage  of  Cat¬ 
erpillar’s  tuition  reimbursement  policy 
and  pursue  the  degree.  Williams’  empha¬ 
sis  on  personal  growth  and  development 
“made  me  feel  important,”  she  says.  “You 
can  support  the  business  much  better  if 
you  understand  the  principles  of  business 
decision-making.  ” 

Williams  himself  has  an  MBA,  which 
made  him  a  huge  believer  in  its  value.  “I 
really  saw  the  benefit  and  the  ability  to  talk 
in  depth  with  business  leaders  and  get  it 
from  a  business  standpoint,”  he  says.  And  it 
drives  him  to  distraction  when  people  sug¬ 
gest  sending  employees  to  take  a  course  that 
only  teaches  the  “language  of  business.” 

“Spouting  catchphrases  can  get  you  into 
more  trouble  than  it  is  worth.  It’s  better  to 
take  the  time  to  really  understand  business 
principles  through  in-depth  coursework. 
You  need  that  immersion  so  you  can  put 
all  the  pieces  together,”  he  says.  It’s  fine 
to  refer  to  internal  rates  of  return  in  a  pre¬ 
sentation,  but  you  better  know  where  that 
number  comes  from  and  the  thresholds  set 
by  your  company. 

The  new  generation  of  security  lead¬ 
ers  understand  business  as  well  as  they 
understand  security.  Many  would  prefer 
a  business  person  as  their  deputy  rather 
than  a  security  person— security  is  easier 
to  pick  up.  Says  Williams,  “I’m  proud  to  be 
someone  rooted  in  both  worlds— I  simply 
couldn’t  have  succeeded  as  CSO  of  a  For¬ 
tune  too  company  if  I  weren’t.” 


4  Create  a  communications  czar 
for  security.  As  noted,  Wil¬ 
liams  made  some  sweeping 
changes  when  he  came  to  Cat¬ 
erpillar-changes  that  shook 
up  the  old  regime.  In  addition  to  asking  for 
help  from  HR,  he  pulled  in  Ashley  Hunt 
from  the  corporate  public  affairs  office  to 
be  his  communicator  for  security.  Unusual? 
Yes,  but  invaluable,  as  it  turned  out. 

Hunt  helped  communicate  the  reorgani- 
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zation  of  the  security  team  to  both  affected 
employees  and  the  broader  group.  “She  has 
helped  all  the  employees  understand  the 
real  risks  they  face,”  says  Williams.  “Ashley 
is  a  force  multiplier  for  us.” 

Now  her  role  is  much  more  proactive. 
She  publishes  a  monthly  security  bulletin 
on  the  intranet— basically  a  newsletter  with 
a  variety  of  awareness  information  on  top¬ 
ics  such  as  travel  security,  scams  and  fraud. 
She  includes  some  general  awareness  arti¬ 
cles,  too.  “We  help  people  understand  the 
real  security  risks  at  Caterpillar.  We  want 
to  change  that  perception  of  security  and 
[of]  the  role  each  employee  plays  in  creat¬ 
ing  a  safe  and  secure  environment,”  says 
Hunt.  She  believes  employees  view  security 
as  having  a  higher  value  within  the  organi¬ 
zation  now,  and  they  have  a  better  under¬ 
standing  of  the  role  they  play  in  enterprise 
risk  management. 

For  example,  the  Global  Security  func¬ 
tion  offers  several  educational  resources 
concerning  travel  security.  It’s  part  of 
Hunt’s  job  to  help  the  team  inform  employ¬ 
ees  that  this  material  is  available.  “Every 
traveling  employee  has  an  opportunity  to 
participate  in  online  security  awareness 
training,  receive  security  alerts  while  they 
travel  and  have  access  to  24/7  travel  secu¬ 
rity  advice,”  says  Hunt. 

Other  teachable  topics  include  terror¬ 


ism,  workplace  violence,  crisis  prepared¬ 
ness,  and  information  security. 

Hunt  spends  roughly  half  her  time 
on  security  matters  and  the  other  half  on 
general  corporate  affairs.  She  has  not  yet 
encountered  anyone  who  performs  her 
role  at  another  company.  Williams  hasn’t 
either.  “[The  security  department]  is  one 
of  the  best  internal  clients  I  have  ever  had. 
You  know  what  you’re  going  to  get  when 
you  work  with  them,”  she  says.  Williams  is 
a  straightforward  guy,  pleasant  to  work  for, 
requiring  little  second  guessing  on  strat¬ 
egy  or  tactics.  “He  values  communication, 
which  makes  my  work  more  effective  for 
Caterpillar  and  more  fulfilling  for  me  per¬ 
sonally,”  says  Hunt. 

Nurture  dissent.  File  this  one 
under  easy  to  say,  hard  to  do. 
Williams  encourages  his  staff 
to  bring  honest  disagreement 
to  the  table— respectfully,  of 
course— whenever  it  comes  up.  “He’s  very 
open,”  says  Frank.  “He  is  open  to  the  opin¬ 
ions  of  others.” 

“On  our  teams,  we  have  direct,  crucial 
conversations,”  says  Williams.  “We  have 
respect,  but  we  get  the  conversations  on 
the  table.  I  solicit  people  to  challenge  man¬ 
agement.  That  is  so  critical.  It  creates  much 
better  decisions  when  people  can  respect¬ 


fully  and  openly  challenge 
assumptions,  thinking 
and  decisions.”  Giblin,  for 
example,  may  disagree  on 
how  certain  processes  and 
protocols  are  implemented 
in  his  region,  and  he  feels 
comfortable  letting  Wil¬ 
liams  and  the  rest  of  the 
team  know.  Like  Williams, 
he  encourages  his  staff  to 
bring  up  differing  points 
of  view. 

It’s  not  just  disagreeing; 
anyone  can  say  they  don’t 
agree.  “People  should  point 
out  if  they  think  we  should 
look  at  something  from  a 
different  perspective.  It’s 
healthy  to  have  differ¬ 
ing  opinions  on  issues— it 
keeps  us  away  from  the 
traps  of  groupthink— and 
keeps  all  of  us  focused.  It 
happens  every  week.” 

At  Caterpillar,  the  voice  of  the  individ¬ 
ual  is  important— maybe  moreso  than  at 
most  companies— though  in  some  regions, 
that  can  be  tricky.  In  most  countries,  “there 
still  is  a  gap  between  what  people  think 
and  what  they  feel  comfortable  saying,” 
says  Williams.  “What  they  do  want  is  the 
opportunity  to  influence  decisions.” 

No  matter  where  Caterpillar  employees 
are  located,  they  have  at  least  one  thing  in 
common:  the  knowledge  that  the  company’s 
whole  is  more  important  than  its  individual 
members.  Williams  learned  this  the  hard 
way  when  he  praised  one  of  his  regional 
security  directors  for  a  job  well  done.  The 
executive  almost  resigned  because  he  felt 
the  credit  should  go  to  his  team. 

It’s  an  odd  lesson  for  Williams  to  have 
to  learn  anew,  given  his  own  unshakable 
devotion  to  teamwork.  He  is  immensely 
proud  of  the  team  he  has  assembled.  As 
he  works  on  his  security  plan  for  the  next 
five  years,  he  trusts  they  will  be  at  his  side, 
helping  to  carry  the  ball.  “They  excel  daily.  I 
am  very  proud  of  this  team,”  he  says.  “Each 
person  is  mutually  supportive  and  doing  a 
great  job.”  ■ 


Lauren  Gibbons  Paul  is  a  freelance  writer  based 
in  Massachusetts.  Send  feedback  to  editor  Derek 
Slater  at  dslater@cxo.com. 


Photo  by  Reuters/Joshua  Lott 


September  2011  www.csoonline.com  29 


[  FORRESTER  VIEW] 

By  Ed  Ferrara,  Forrester  Research 


Seven  Metrics  that  Characterize 
Security  in  Business  Terms 


The  role  of  the  CISO  is  evolv¬ 
ing  and  moving  out  of  IT;  its 
responsibilities  and  focus  are 
shifting  from  IT  risk  to  busi¬ 
ness  risk.  According  to  a  recent 
Forrester  survey,  54  percent  of  CISOs  now 
report  to  a  C-level  executive— a  nine  per¬ 
cent  increase  from  2009.  At  the  same  time, 
42  percent  of  CISOs  now  report  out  of  IT. 
As  reporting  relationships  change  and  the 
enterprise  kicks  CISOs  upstairs,  they  need 
to  learn  the  language  of  the  executive  suite. 
Specifically,  CISOs  must  understand  that 
business  executives: 

■  Don’t  really  care  about  traditional 
operational  security  metrics.  If  you’re 
talking  about  threat  postures,  attack 
surfaces,  and  logic  bombs,  you  can  be 
sure  that  the  CEO  or  CFO  will  soon 
stop  listening.  CISOs  who  use  the 
technical  language  of  information 
security  run  the  risk  of  alienating  their 
peers  and  managers  at  the  executive 
table.  CISOs  are  a  company’s  most 
influential  security  consultants,  so  it 
is  increasingly  important  for  them  to 
use  language  that  explains  information 
security  from  a  business  perspective. 

■  Demand  performance  and  accountabil¬ 
ity  from  expensive  programs.  C-level 
executives  have  laser-like  focus  on 
business  performance,  so  as  the  invest¬ 
ment  in  information  security  programs 
increases,  CISOs  need  to  explain  how 
their  organization  performs.  Accord¬ 
ingly,  the  performance  rules  that 
govern  the  broader  organization  now 
apply  to  information  security  as  well. 
Information  security  is  a  big-ticket  item. 
For  example,  Catholic  Health  Initiatives 
is  in  the  process  of  implementing  a  $1.3 
billion  upgrade  to  its  healthcare  informa¬ 


tion  systems.  As  part  of  this  upgrade,  the 
healthcare  provider  will  spend  $100  million 
on  information  security.  If  you  claim  a  high- 
cost  project  will  deliver  certain  value,  the 
organization  will  ask  you  to  prove  it. 

Business  executives  focus  on  increas¬ 
ing  revenue,  streamlining  operations,  and 
delivering  top-notch  customer  service.  To 
support  these  goals,  measure  your  orga¬ 
nization  with  these  seven  key  metrics  cat¬ 
egories  and  then  use  them  to  communicate 
your  organization’s  effectiveness. 

CISOs  who  use  the 
technical  language  of 
information  security 

run  the  risk  of 

alienating  their  peers 
and  managers  at  the 
executive  table. 

1.  Alignment  to  strategic  goals.  Your 
efforts  and  investments  should  be  planned 
to  support  your  company’s  strategic  goals. 
For  example,  if  accelerated  sales  growth  is 
a  goal,  work  with  the  business  to  evaluate 
the  use  of  new  mobile  technology  and  the 
consequences  it  will  have  on  sales  growth, 
and  then  advise  the  business  on  the  risks 
the  new  technology  presents  and,  most 
important,  how  to  mitigate  those  risks. 

2.  Functional  alignment  to  business 
operations.  Functional  alignment  is  impor¬ 
tant  because  it  shows  that  the  information 
security  group  is  in  touch  with  operational 
realities.  It  demonstrates  the  security  orga¬ 
nization’s  ability  to  support  the  business  in 
achieving  day-to-day  performance  objec¬ 


tives.  You  will  win  a  lot  of  points  with  busi¬ 
ness  unit  leaders  if  you  can  show  you  are 
doing  things  to  support  their  efforts. 

3.  Regulatory  compliance.  Compliance 
is  one  of  the  most  important  functions  of 
the  information  security  team.  Measure 
your  success  in  achieving  compliance. 
Show  you  know  how  to  support  your  orga¬ 
nization’s  compliance  needs. 

4.  Efficiency  and  effectiveness.  CISOs 
need  to  be  good  managers.  Show  your  orga¬ 
nization  that  you  know  how  to  run  a  busi¬ 
ness.  The  CISO  that  shows  they  can  manage 
programs  and  projects  on  time  and  under 
budget  will  get  the  respect  and  resources  to 
do  more.  Success  in  this  category  will  bring 
recognition  and  trust. 

5.  Process  excellence.  Security  is  a  very 
process -driven  business.  If  you  can  dem¬ 
onstrate  process  improvement— reducing 
unnecessary  steps  in  information  security 
activities  and  using  process  to  support  busi¬ 
ness  alignment— you  will  free  up  resources 
to  accomplish  more  in  the  future. 

6.  Service  and  quality.  All  organizations 
have  customers.  Quality  service  and  atten¬ 
tion  to  detail  are  key  performance  indica¬ 
tors  for  all  organizations,  and  information 
security  is  no  exception.  Use  this  metric  to 
demonstrate  how  the  security  organization 
provides  strong  customer  service  and  qual¬ 
ity  in  all  the  work  it  performs. 

7.  Innovation.  Innovation  and  creativity 
allow  the  security  organization  to  excel  at  all 
the  other  metrics.  Innovation  demonstrates 
how  the  security  organization  provides  new 
ways  to  handle  workloads,  control  costs 
and  meet  corporate  objectives.  ■ 


Ed  Ferrara  is  a  principal  analyst  at  Forrester 
Research,  where  he  serves  security  and  risk 
professionals. 


30  www.csoonline.com  September  2011 


The  Security  Confab  conference  took  place  July  12-14,  2011 
in  Monterey,  California.  CSO  would  like  to  thank  the  sponsors 

of  The  Security  Confab  conference. 
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Defense  Against  the  Dark  Arts 

Do  you  know  enough  arcane  vocabulary  to  impress  your  party  guests? 


1.  Barbican 

a.  Exterior  walled  passage  at  a 
castle  entrance  that  forces 
intruders  into  a  narrow  space 

b.  Development  project  name  for 
software  on  the  first  DEC  VAX 

c.  Australian  for  “grill” 

2.  Blowback 

a.  Erroneous  results  from  a  ping 
that  flood  and  disable  the 
inquiring  computer 

b.  Misinformation  planted 
by  spies  from  country  A  to 
mislead  country  B,  that  then 
filters  back  and  misleads  the 
government  of  country  A 

c.  Clues  in  legitimate  tax  returns 
that  lead  to  discovery  of  fraud 

3.  Chad  Box 

a.  A  variation  on  Nigerian  or  411 
scams 

b.  Non-shredding  discard  box  for 
visitor  badges 

c.  Receptacle  for  debris  from  70s 
data-processing  punchcards 

4.  Cobbler 

a.  Espionage  agent  who  creates 
false  documents 

b.  Infosec  defender  with  capabili¬ 
ties  equal  to  a  script  kiddie 

c.  Tasty  dessert  that  makes  fruit 
unhealthy  to  eat 

5.  Dry  Cleaning 

a.  Vacuuming  dust  out  of  an  old 
computer  chassis 

b.  Methods  used  by  a  spy  to 
figure  out  if  he  or  she  is  being 
watched 

c.  Washing  illicit  funds  through  a 
series  of  businesses  to  confuse 
the  audit  trail 


8.  Layering 

a.  Including  slightly  different 
misinformation  in  each  of 
several  versions  of  a  story 
told  to  multiple  mistrusted 
people 

b.  Washing  illicit  funds  through  a 
series  of  businesses  to  confuse 
the  audit  trail 

c.  Serving  multiple  types  of 
cobbler  in  the  same  dish 

9.  Murder  Hole 

a.  A  small  opening  in  the 
chad  box 

b.  An  apparently  minor 
misconfiguration 

c.  A  hole  in  a  passage  wall  or 
ceiling  that  castle  defenders 
used  to  shoot  arrows  at 
invaders 

10.  Starburst  Maneuver 

a.  Cars  in  a  convoy  suddenly  go  in 
different  directions  to  identify 
or  shake  anyone  tailing  them 

b.  Any  very  simple  hacking 
technique  (as  in  “candy  from 
a  baby") 

c.  Washing  illicit  funds  through  a 
series  of  businesses  to  confuse 
the  audit  trail 


6.  Innocent  Postcard 

a.  Email  to  sysadmins  attempting 
to  explain  porn  surfing  was 
“accidental” 

b.  High-volume,  low-content 
email  sent  to  slow  down  any 
subsequent  e-discovery  efforts 

c.  Meaningless  message  sent  to 
an  address  in  a  neutral  country, 
verifying  that  a  covert  opera¬ 
tive  is  still  safe 


7.  Kapelle 

a.  Top  secret  communications 
security  device  used  by  the 
KGB;  operators  were  called 
pianists 

b.  A  gable  atop  castle  ramparts 
intended  to  deflect  projectiles 

c.  ’90s  boy  band  with  limited 
commercial  success 


b  oi  6  !q  8  L  ia  9 
!q  s  !e  >  ii  £  :q  z  i  SU3MSNV 


How’d  You  Do? 


0-4  points:  Try  to  read  more  often. 
5-7  points:  Well  done. 

8-10  points:  Try  to  get 
outside  more  often. 
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